To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.4.138
- compare with another revision
- download diff
- download tarball
- view history from revision 237.4.138
- Committer: Teddy Hogeborn
- Date: 2022-04-25 18:46:48 UTC
- mto: This revision was merged to the branch mainline in revision 1261.
- Revision ID: teddy@recompile.se-20220425184648-w9nas5qn94qcllum
Tags: version-1.8.15-1
Version 1.8.15-1
* Makefile (version): Change to "1.8.15".
* NEWS (Version 1.8.15): Add new entry.
* debian/changelog (1.8.15-1): - '' -
* Makefile (version): Change to "1.8.15".
* NEWS (Version 1.8.15): Add new entry.
* debian/changelog (1.8.15-1): - '' -
- files added:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
1
#!/usr/bin/python3 -bI
2
# -*- coding: utf-8; lexical-binding: t -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2022 Teddy Hogeborn
15
# Copyright © 2008-2022 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
30
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
33
#
33
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
39
39
except ImportError:
40
40
pass
41
41
42
import sys
43
import unittest
44
import argparse
45
import logging
46
import os
42
47
try:
43
48
import SocketServer as socketserver
44
49
except ImportError:
45
50
import socketserver
46
51
import socket
47
import argparse
48
52
import datetime
49
53
import errno
50
54
try:
51
55
import ConfigParser as configparser
52
56
except ImportError:
53
57
import configparser
54
import sys
55
58
import re
56
import os
57
59
import signal
58
60
import subprocess
59
61
import atexit
60
62
import stat
61
import logging
62
63
import logging.handlers
63
64
import pwd
64
65
import contextlib
76
77
import itertools
77
78
import collections
78
79
import codecs
80
import random
81
import shlex
79
82
80
83
import dbus
81
84
import dbus.service
85
import gi
82
86
from gi.repository import GLib
83
87
from dbus.mainloop.glib import DBusGMainLoop
84
88
import ctypes
86
90
import xml.dom.minidom
87
91
import inspect
88
92
93
if sys.version_info.major == 2:
94
__metaclass__ = type
95
str = unicode
96
input = raw_input
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
89
118
# Try to find the value of SO_BINDTODEVICE:
90
119
try:
91
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
111
140
# No value found
112
141
SO_BINDTODEVICE = None
113
142
114
if sys.version_info.major == 2:
115
str = unicode
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
116
145
117
version = "1.7.14"
146
version = "1.8.15"
118
147
stored_state_file = "clients.pickle"
119
148
120
logger = logging.getLogger()
149
log = logging.getLogger(os.path.basename(sys.argv[0]))
150
logging.captureWarnings(True) # Show warnings via the logging system
121
151
syslogger = None
122
152
123
153
try:
159
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
160
190
address="/dev/log"))
161
191
syslogger.setFormatter(logging.Formatter
162
('Mandos [%(process)d]: %(levelname)s:'
163
' %(message)s'))
164
logger.addHandler(syslogger)
192
("Mandos [%(process)d]: %(levelname)s:"
193
" %(message)s"))
194
log.addHandler(syslogger)
165
195
166
196
if debug:
167
197
console = logging.StreamHandler()
168
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
169
' [%(process)d]:'
170
' %(levelname)s:'
171
' %(message)s'))
172
logger.addHandler(console)
173
logger.setLevel(level)
198
console.setFormatter(logging.Formatter("%(asctime)s %(name)s"
199
" [%(process)d]:"
200
" %(levelname)s:"
201
" %(message)s"))
202
log.addHandler(console)
203
log.setLevel(level)
174
204
175
205
176
206
class PGPError(Exception):
178
208
pass
179
209
180
210
181
class PGPEngine(object):
211
class PGPEngine:
182
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
183
213
184
214
def __init__(self):
188
218
output = subprocess.check_output(["gpgconf"])
189
219
for line in output.splitlines():
190
220
name, text, path = line.split(b":")
191
if name == "gpg":
221
if name == b"gpg":
192
222
self.gpg = path
193
223
break
194
224
except OSError as e:
195
225
if e.errno != errno.ENOENT:
196
226
raise
197
self.gnupgargs = ['--batch',
198
'--homedir', self.tempdir,
199
'--force-mdc',
200
'--quiet']
227
self.gnupgargs = ["--batch",
228
"--homedir", self.tempdir,
229
"--force-mdc",
230
"--quiet"]
201
231
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
203
233
self.gnupgargs.append("--no-use-agent")
204
234
205
235
def __enter__(self):
242
272
dir=self.tempdir) as passfile:
243
273
passfile.write(passphrase)
244
274
passfile.flush()
245
proc = subprocess.Popen([self.gpg, '--symmetric',
246
'--passphrase-file',
275
proc = subprocess.Popen([self.gpg, "--symmetric",
276
"--passphrase-file",
247
277
passfile.name]
248
278
+ self.gnupgargs,
249
279
stdin=subprocess.PIPE,
260
290
dir=self.tempdir) as passfile:
261
291
passfile.write(passphrase)
262
292
passfile.flush()
263
proc = subprocess.Popen([self.gpg, '--decrypt',
264
'--passphrase-file',
293
proc = subprocess.Popen([self.gpg, "--decrypt",
294
"--passphrase-file",
265
295
passfile.name]
266
296
+ self.gnupgargs,
267
297
stdin=subprocess.PIPE,
274
304
275
305
276
306
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
280
309
IF_UNSPEC = -1 # avahi-common/address.h
281
310
PROTO_UNSPEC = -1 # avahi-common/address.h
282
311
PROTO_INET = 0 # avahi-common/address.h
286
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
316
DBUS_PATH_SERVER = "/"
288
317
289
def string_array_to_txt_array(self, t):
318
@staticmethod
319
def string_array_to_txt_array(t):
290
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
321
for s in t), signature="ay")
292
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
297
327
SERVER_RUNNING = 2 # avahi-common/defs.h
298
328
SERVER_COLLISION = 3 # avahi-common/defs.h
299
329
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
330
302
331
303
332
class AvahiError(Exception):
315
344
pass
316
345
317
346
318
class AvahiService(object):
347
class AvahiService:
319
348
"""An Avahi (Zeroconf) service.
320
349
321
350
Attributes:
322
351
interface: integer; avahi.IF_UNSPEC or an interface index.
323
352
Used to optionally bind to the specified interface.
324
name: string; Example: 'Mandos'
325
type: string; Example: '_mandos._tcp'.
353
name: string; Example: "Mandos"
354
type: string; Example: "_mandos._tcp".
326
355
See <https://www.iana.org/assignments/service-names-port-numbers>
327
356
port: integer; what port to announce
328
357
TXT: list of strings; TXT record for the service
365
394
def rename(self, remove=True):
366
395
"""Derived from the Avahi example code"""
367
396
if self.rename_count >= self.max_renames:
368
logger.critical("No suitable Zeroconf service name found"
369
" after %i retries, exiting.",
370
self.rename_count)
397
log.critical("No suitable Zeroconf service name found"
398
" after %i retries, exiting.",
399
self.rename_count)
371
400
raise AvahiServiceError("Too many renames")
372
401
self.name = str(
373
402
self.server.GetAlternativeServiceName(self.name))
374
403
self.rename_count += 1
375
logger.info("Changing Zeroconf service name to %r ...",
376
self.name)
404
log.info("Changing Zeroconf service name to %r ...",
405
self.name)
377
406
if remove:
378
407
self.remove()
379
408
try:
381
410
except dbus.exceptions.DBusException as error:
382
411
if (error.get_dbus_name()
383
412
== "org.freedesktop.Avahi.CollisionError"):
384
logger.info("Local Zeroconf service name collision.")
413
log.info("Local Zeroconf service name collision.")
385
414
return self.rename(remove=False)
386
415
else:
387
logger.critical("D-Bus Exception", exc_info=error)
416
log.critical("D-Bus Exception", exc_info=error)
388
417
self.cleanup()
389
418
os._exit(1)
390
419
406
435
avahi.DBUS_INTERFACE_ENTRY_GROUP)
407
436
self.entry_group_state_changed_match = (
408
437
self.group.connect_to_signal(
409
'StateChanged', self.entry_group_state_changed))
410
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
411
self.name, self.type)
438
"StateChanged", self.entry_group_state_changed))
439
log.debug("Adding Zeroconf service '%s' of type '%s' ...",
440
self.name, self.type)
412
441
self.group.AddService(
413
442
self.interface,
414
443
self.protocol,
421
450
422
451
def entry_group_state_changed(self, state, error):
423
452
"""Derived from the Avahi example code"""
424
logger.debug("Avahi entry group state change: %i", state)
453
log.debug("Avahi entry group state change: %i", state)
425
454
426
455
if state == avahi.ENTRY_GROUP_ESTABLISHED:
427
logger.debug("Zeroconf service established.")
456
log.debug("Zeroconf service established.")
428
457
elif state == avahi.ENTRY_GROUP_COLLISION:
429
logger.info("Zeroconf service name collision.")
458
log.info("Zeroconf service name collision.")
430
459
self.rename()
431
460
elif state == avahi.ENTRY_GROUP_FAILURE:
432
logger.critical("Avahi: Error in group state changed %s",
433
str(error))
461
log.critical("Avahi: Error in group state changed %s",
462
str(error))
434
463
raise AvahiGroupError("State changed: {!s}".format(error))
435
464
436
465
def cleanup(self):
446
475
447
476
def server_state_changed(self, state, error=None):
448
477
"""Derived from the Avahi example code"""
449
logger.debug("Avahi server state change: %i", state)
478
log.debug("Avahi server state change: %i", state)
450
479
bad_states = {
451
480
avahi.SERVER_INVALID: "Zeroconf server invalid",
452
481
avahi.SERVER_REGISTERING: None,
456
485
if state in bad_states:
457
486
if bad_states[state] is not None:
458
487
if error is None:
459
logger.error(bad_states[state])
488
log.error(bad_states[state])
460
489
else:
461
logger.error(bad_states[state] + ": %r", error)
490
log.error(bad_states[state] + ": %r", error)
462
491
self.cleanup()
463
492
elif state == avahi.SERVER_RUNNING:
464
493
try:
466
495
except dbus.exceptions.DBusException as error:
467
496
if (error.get_dbus_name()
468
497
== "org.freedesktop.Avahi.CollisionError"):
469
logger.info("Local Zeroconf service name"
470
" collision.")
498
log.info("Local Zeroconf service name collision.")
471
499
return self.rename(remove=False)
472
500
else:
473
logger.critical("D-Bus Exception", exc_info=error)
501
log.critical("D-Bus Exception", exc_info=error)
474
502
self.cleanup()
475
503
os._exit(1)
476
504
else:
477
505
if error is None:
478
logger.debug("Unknown state: %r", state)
506
log.debug("Unknown state: %r", state)
479
507
else:
480
logger.debug("Unknown state: %r: %r", state, error)
508
log.debug("Unknown state: %r: %r", state, error)
481
509
482
510
def activate(self):
483
511
"""Derived from the Avahi example code"""
495
523
class AvahiServiceToSyslog(AvahiService):
496
524
def rename(self, *args, **kwargs):
497
525
"""Add the new name to the syslog messages"""
498
ret = AvahiService.rename(self, *args, **kwargs)
526
ret = super(AvahiServiceToSyslog, self).rename(*args,
527
**kwargs)
499
528
syslogger.setFormatter(logging.Formatter(
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
529
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
501
530
.format(self.name)))
502
531
return ret
503
532
504
533
505
534
# Pretend that we have a GnuTLS module
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
509
537
510
538
library = ctypes.util.find_library("gnutls")
511
539
if library is None:
512
540
library = ctypes.util.find_library("gnutls-deb0")
513
541
_library = ctypes.cdll.LoadLibrary(library)
514
542
del library
515
_need_version = b"3.3.0"
516
517
def __init__(self):
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
523
543
524
544
# Unless otherwise indicated, the constants and types below are
525
545
# all from the gnutls/gnutls.h C header file.
529
549
E_INTERRUPTED = -52
530
550
E_AGAIN = -28
531
551
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
532
553
CLIENT = 2
533
554
SHUT_RDWR = 0
534
555
CRD_CERTIFICATE = 1
535
556
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
536
562
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
537
563
538
564
# Types
539
class session_int(ctypes.Structure):
565
class _session_int(ctypes.Structure):
540
566
_fields_ = []
541
session_t = ctypes.POINTER(session_int)
567
session_t = ctypes.POINTER(_session_int)
542
568
543
569
class certificate_credentials_st(ctypes.Structure):
544
570
_fields_ = []
547
573
certificate_type_t = ctypes.c_int
548
574
549
575
class datum_t(ctypes.Structure):
550
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
551
('size', ctypes.c_uint)]
576
_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),
577
("size", ctypes.c_uint)]
552
578
553
class openpgp_crt_int(ctypes.Structure):
579
class _openpgp_crt_int(ctypes.Structure):
554
580
_fields_ = []
555
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
581
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
556
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
557
583
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
558
584
credentials_type_t = ctypes.c_int
561
587
562
588
# Exceptions
563
589
class Error(Exception):
564
# We need to use the class name "GnuTLS" here, since this
565
# exception might be raised from within GnuTLS.__init__,
566
# which is called before the assignment to the "gnutls"
567
# global variable has happened.
568
590
def __init__(self, message=None, code=None, args=()):
569
591
# Default usage is by a message string, but if a return
570
592
# code is passed, convert it to a string with
571
593
# gnutls.strerror()
572
594
self.code = code
573
595
if message is None and code is not None:
574
message = GnuTLS.strerror(code)
575
return super(GnuTLS.Error, self).__init__(
596
message = gnutls.strerror(code).decode(
597
"utf-8", errors="replace")
598
return super(gnutls.Error, self).__init__(
576
599
message, *args)
577
600
578
601
class CertificateSecurityError(Error):
579
602
pass
580
603
604
class PointerTo:
605
def __init__(self, cls):
606
self.cls = cls
607
608
def from_param(self, obj):
609
if not isinstance(obj, self.cls):
610
raise TypeError("Not of type {}: {!r}"
611
.format(self.cls.__name__, obj))
612
return ctypes.byref(obj.from_param(obj))
613
614
class CastToVoidPointer:
615
def __init__(self, cls):
616
self.cls = cls
617
618
def from_param(self, obj):
619
if not isinstance(obj, self.cls):
620
raise TypeError("Not of type {}: {!r}"
621
.format(self.cls.__name__, obj))
622
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
623
624
class With_from_param:
625
@classmethod
626
def from_param(cls, obj):
627
return obj._as_parameter_
628
581
629
# Classes
582
class Credentials(object):
630
class Credentials(With_from_param):
583
631
def __init__(self):
584
self._c_object = gnutls.certificate_credentials_t()
585
gnutls.certificate_allocate_credentials(
586
ctypes.byref(self._c_object))
632
self._as_parameter_ = gnutls.certificate_credentials_t()
633
gnutls.certificate_allocate_credentials(self)
587
634
self.type = gnutls.CRD_CERTIFICATE
588
635
589
636
def __del__(self):
590
gnutls.certificate_free_credentials(self._c_object)
637
gnutls.certificate_free_credentials(self)
591
638
592
class ClientSession(object):
639
class ClientSession(With_from_param):
593
640
def __init__(self, socket, credentials=None):
594
self._c_object = gnutls.session_t()
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
596
gnutls.set_default_priority(self._c_object)
597
gnutls.transport_set_ptr(self._c_object, socket.fileno())
598
gnutls.handshake_set_private_extensions(self._c_object,
599
True)
641
self._as_parameter_ = gnutls.session_t()
642
gnutls_flags = gnutls.CLIENT
643
if gnutls.check_version(b"3.5.6"):
644
gnutls_flags |= gnutls.NO_TICKETS
645
if gnutls.has_rawpk:
646
gnutls_flags |= gnutls.ENABLE_RAWPK
647
gnutls.init(self, gnutls_flags)
648
del gnutls_flags
649
gnutls.set_default_priority(self)
650
gnutls.transport_set_ptr(self, socket.fileno())
651
gnutls.handshake_set_private_extensions(self, True)
600
652
self.socket = socket
601
653
if credentials is None:
602
654
credentials = gnutls.Credentials()
603
gnutls.credentials_set(self._c_object, credentials.type,
604
ctypes.cast(credentials._c_object,
605
ctypes.c_void_p))
655
gnutls.credentials_set(self, credentials.type,
656
credentials)
606
657
self.credentials = credentials
607
658
608
659
def __del__(self):
609
gnutls.deinit(self._c_object)
660
gnutls.deinit(self)
610
661
611
662
def handshake(self):
612
return gnutls.handshake(self._c_object)
663
return gnutls.handshake(self)
613
664
614
665
def send(self, data):
615
666
data = bytes(data)
616
667
data_len = len(data)
617
668
while data_len > 0:
618
data_len -= gnutls.record_send(self._c_object,
619
data[-data_len:],
669
data_len -= gnutls.record_send(self, data[-data_len:],
620
670
data_len)
621
671
622
672
def bye(self):
623
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
673
return gnutls.bye(self, gnutls.SHUT_RDWR)
624
674
625
675
# Error handling functions
626
676
def _error_code(result):
627
677
"""A function to raise exceptions on errors, suitable
628
for the 'restype' attribute on ctypes functions"""
629
if result >= 0:
678
for the "restype" attribute on ctypes functions"""
679
if result >= gnutls.E_SUCCESS:
630
680
return result
631
681
if result == gnutls.E_NO_CERTIFICATE_FOUND:
632
682
raise gnutls.CertificateSecurityError(code=result)
633
683
raise gnutls.Error(code=result)
634
684
635
def _retry_on_error(result, func, arguments):
685
def _retry_on_error(result, func, arguments,
686
_error_code=_error_code):
636
687
"""A function to retry on some errors, suitable
637
for the 'errcheck' attribute on ctypes functions"""
638
while result < 0:
688
for the "errcheck" attribute on ctypes functions"""
689
while result < gnutls.E_SUCCESS:
639
690
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
640
691
return _error_code(result)
641
692
result = func(*arguments)
646
697
647
698
# Functions
648
699
priority_set_direct = _library.gnutls_priority_set_direct
649
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
700
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
650
701
ctypes.POINTER(ctypes.c_char_p)]
651
702
priority_set_direct.restype = _error_code
652
703
653
704
init = _library.gnutls_init
654
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
705
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
655
706
init.restype = _error_code
656
707
657
708
set_default_priority = _library.gnutls_set_default_priority
658
set_default_priority.argtypes = [session_t]
709
set_default_priority.argtypes = [ClientSession]
659
710
set_default_priority.restype = _error_code
660
711
661
712
record_send = _library.gnutls_record_send
662
record_send.argtypes = [session_t, ctypes.c_void_p,
713
record_send.argtypes = [ClientSession, ctypes.c_void_p,
663
714
ctypes.c_size_t]
664
715
record_send.restype = ctypes.c_ssize_t
665
716
record_send.errcheck = _retry_on_error
667
718
certificate_allocate_credentials = (
668
719
_library.gnutls_certificate_allocate_credentials)
669
720
certificate_allocate_credentials.argtypes = [
670
ctypes.POINTER(certificate_credentials_t)]
721
PointerTo(Credentials)]
671
722
certificate_allocate_credentials.restype = _error_code
672
723
673
724
certificate_free_credentials = (
674
725
_library.gnutls_certificate_free_credentials)
675
certificate_free_credentials.argtypes = [
676
certificate_credentials_t]
726
certificate_free_credentials.argtypes = [Credentials]
677
727
certificate_free_credentials.restype = None
678
728
679
729
handshake_set_private_extensions = (
680
730
_library.gnutls_handshake_set_private_extensions)
681
handshake_set_private_extensions.argtypes = [session_t,
731
handshake_set_private_extensions.argtypes = [ClientSession,
682
732
ctypes.c_int]
683
733
handshake_set_private_extensions.restype = None
684
734
685
735
credentials_set = _library.gnutls_credentials_set
686
credentials_set.argtypes = [session_t, credentials_type_t,
687
ctypes.c_void_p]
736
credentials_set.argtypes = [ClientSession, credentials_type_t,
737
CastToVoidPointer(Credentials)]
688
738
credentials_set.restype = _error_code
689
739
690
740
strerror = _library.gnutls_strerror
692
742
strerror.restype = ctypes.c_char_p
693
743
694
744
certificate_type_get = _library.gnutls_certificate_type_get
695
certificate_type_get.argtypes = [session_t]
745
certificate_type_get.argtypes = [ClientSession]
696
746
certificate_type_get.restype = _error_code
697
747
698
748
certificate_get_peers = _library.gnutls_certificate_get_peers
699
certificate_get_peers.argtypes = [session_t,
749
certificate_get_peers.argtypes = [ClientSession,
700
750
ctypes.POINTER(ctypes.c_uint)]
701
751
certificate_get_peers.restype = ctypes.POINTER(datum_t)
702
752
709
759
global_set_log_function.restype = None
710
760
711
761
deinit = _library.gnutls_deinit
712
deinit.argtypes = [session_t]
762
deinit.argtypes = [ClientSession]
713
763
deinit.restype = None
714
764
715
765
handshake = _library.gnutls_handshake
716
handshake.argtypes = [session_t]
717
handshake.restype = _error_code
766
handshake.argtypes = [ClientSession]
767
handshake.restype = ctypes.c_int
718
768
handshake.errcheck = _retry_on_error
719
769
720
770
transport_set_ptr = _library.gnutls_transport_set_ptr
721
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
771
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
722
772
transport_set_ptr.restype = None
723
773
724
774
bye = _library.gnutls_bye
725
bye.argtypes = [session_t, close_request_t]
726
bye.restype = _error_code
775
bye.argtypes = [ClientSession, close_request_t]
776
bye.restype = ctypes.c_int
727
777
bye.errcheck = _retry_on_error
728
778
729
779
check_version = _library.gnutls_check_version
730
780
check_version.argtypes = [ctypes.c_char_p]
731
781
check_version.restype = ctypes.c_char_p
732
782
733
# All the function declarations below are from gnutls/openpgp.h
734
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
openpgp_crt_init.restype = _error_code
738
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
ctypes.POINTER(datum_t),
742
openpgp_crt_fmt_t]
743
openpgp_crt_import.restype = _error_code
744
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
ctypes.POINTER(ctypes.c_uint)]
748
openpgp_crt_verify_self.restype = _error_code
749
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
openpgp_crt_deinit.restype = None
753
754
openpgp_crt_get_fingerprint = (
755
_library.gnutls_openpgp_crt_get_fingerprint)
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
757
ctypes.c_void_p,
758
ctypes.POINTER(
759
ctypes.c_size_t)]
760
openpgp_crt_get_fingerprint.restype = _error_code
783
_need_version = b"3.3.0"
784
if check_version(_need_version) is None:
785
raise self.Error("Needs GnuTLS {} or later"
786
.format(_need_version))
787
788
_tls_rawpk_version = b"3.6.6"
789
has_rawpk = bool(check_version(_tls_rawpk_version))
790
791
if has_rawpk:
792
# Types
793
class pubkey_st(ctypes.Structure):
794
_fields = []
795
pubkey_t = ctypes.POINTER(pubkey_st)
796
797
x509_crt_fmt_t = ctypes.c_int
798
799
# All the function declarations below are from
800
# gnutls/abstract.h
801
pubkey_init = _library.gnutls_pubkey_init
802
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
803
pubkey_init.restype = _error_code
804
805
pubkey_import = _library.gnutls_pubkey_import
806
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
807
x509_crt_fmt_t]
808
pubkey_import.restype = _error_code
809
810
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
811
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
812
ctypes.POINTER(ctypes.c_ubyte),
813
ctypes.POINTER(ctypes.c_size_t)]
814
pubkey_get_key_id.restype = _error_code
815
816
pubkey_deinit = _library.gnutls_pubkey_deinit
817
pubkey_deinit.argtypes = [pubkey_t]
818
pubkey_deinit.restype = None
819
else:
820
# All the function declarations below are from
821
# gnutls/openpgp.h
822
823
openpgp_crt_init = _library.gnutls_openpgp_crt_init
824
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
825
openpgp_crt_init.restype = _error_code
826
827
openpgp_crt_import = _library.gnutls_openpgp_crt_import
828
openpgp_crt_import.argtypes = [openpgp_crt_t,
829
ctypes.POINTER(datum_t),
830
openpgp_crt_fmt_t]
831
openpgp_crt_import.restype = _error_code
832
833
openpgp_crt_verify_self = \
834
_library.gnutls_openpgp_crt_verify_self
835
openpgp_crt_verify_self.argtypes = [
836
openpgp_crt_t,
837
ctypes.c_uint,
838
ctypes.POINTER(ctypes.c_uint),
839
]
840
openpgp_crt_verify_self.restype = _error_code
841
842
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
843
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
844
openpgp_crt_deinit.restype = None
845
846
openpgp_crt_get_fingerprint = (
847
_library.gnutls_openpgp_crt_get_fingerprint)
848
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
849
ctypes.c_void_p,
850
ctypes.POINTER(
851
ctypes.c_size_t)]
852
openpgp_crt_get_fingerprint.restype = _error_code
853
854
if check_version(b"3.6.4"):
855
certificate_type_get2 = _library.gnutls_certificate_type_get2
856
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
857
certificate_type_get2.restype = _error_code
761
858
762
859
# Remove non-public functions
763
860
del _error_code, _retry_on_error
764
# Create the global "gnutls" object, simulating a module
765
gnutls = GnuTLS()
766
861
767
862
768
863
def call_pipe(connection, # : multiprocessing.Connection
776
871
connection.close()
777
872
778
873
779
class Client(object):
874
class Client:
780
875
"""A representation of a client host served by this server.
781
876
782
877
Attributes:
783
approved: bool(); 'None' if not yet approved/disapproved
878
approved: bool(); None if not yet approved/disapproved
784
879
approval_delay: datetime.timedelta(); Time to wait for approval
785
880
approval_duration: datetime.timedelta(); Duration of one approval
786
checker: subprocess.Popen(); a running checker process used
787
to see if the client lives.
788
'None' if no process is running.
881
checker: multiprocessing.Process(); a running checker process used
882
to see if the client lives. None if no process is
883
running.
789
884
checker_callback_tag: a GLib event source tag, or None
790
885
checker_command: string; External command which is run to check
791
886
if client lives. %() expansions are done at
799
894
disable_initiator_tag: a GLib event source tag, or None
800
895
enabled: bool()
801
896
fingerprint: string (40 or 32 hexadecimal digits); used to
802
uniquely identify the client
897
uniquely identify an OpenPGP client
898
key_id: string (64 hexadecimal digits); used to uniquely identify
899
a client using raw public keys
803
900
host: string; available for use by the checker command
804
901
interval: datetime.timedelta(); How often to start a new checker
805
902
last_approval_request: datetime.datetime(); (UTC) or None
823
920
"""
824
921
825
922
runtime_expansions = ("approval_delay", "approval_duration",
826
"created", "enabled", "expires",
923
"created", "enabled", "expires", "key_id",
827
924
"fingerprint", "host", "interval",
828
925
"last_approval_request", "last_checked_ok",
829
926
"last_enabled", "name", "timeout")
859
956
client["enabled"] = config.getboolean(client_name,
860
957
"enabled")
861
958
862
# Uppercase and remove spaces from fingerprint for later
863
# comparison purposes with return value from the
864
# fingerprint() function
959
# Uppercase and remove spaces from key_id and fingerprint
960
# for later comparison purposes with return value from the
961
# key_id() and fingerprint() functions
962
client["key_id"] = (section.get("key_id", "").upper()
963
.replace(" ", ""))
865
964
client["fingerprint"] = (section["fingerprint"].upper()
866
965
.replace(" ", ""))
867
966
if "secret" in section:
910
1009
self.last_enabled = None
911
1010
self.expires = None
912
1011
913
logger.debug("Creating client %r", self.name)
914
logger.debug(" Fingerprint: %s", self.fingerprint)
1012
log.debug("Creating client %r", self.name)
1013
log.debug(" Key ID: %s", self.key_id)
1014
log.debug(" Fingerprint: %s", self.fingerprint)
915
1015
self.created = settings.get("created",
916
1016
datetime.datetime.utcnow())
917
1017
956
1056
if not getattr(self, "enabled", False):
957
1057
return False
958
1058
if not quiet:
959
logger.info("Disabling client %s", self.name)
1059
log.info("Disabling client %s", self.name)
960
1060
if getattr(self, "disable_initiator_tag", None) is not None:
961
1061
GLib.source_remove(self.disable_initiator_tag)
962
1062
self.disable_initiator_tag = None
980
1080
if self.checker_initiator_tag is not None:
981
1081
GLib.source_remove(self.checker_initiator_tag)
982
1082
self.checker_initiator_tag = GLib.timeout_add(
983
int(self.interval.total_seconds() * 1000),
1083
random.randrange(int(self.interval.total_seconds() * 1000
1084
+ 1)),
984
1085
self.start_checker)
985
1086
# Schedule a disable() when 'timeout' has passed
986
1087
if self.disable_initiator_tag is not None:
993
1094
def checker_callback(self, source, condition, connection,
994
1095
command):
995
1096
"""The checker has completed, so take appropriate actions."""
996
self.checker_callback_tag = None
997
self.checker = None
998
1097
# Read return code from connection (see call_pipe)
999
1098
returncode = connection.recv()
1000
1099
connection.close()
1100
if self.checker is not None:
1101
self.checker.join()
1102
self.checker_callback_tag = None
1103
self.checker = None
1001
1104
1002
1105
if returncode >= 0:
1003
1106
self.last_checker_status = returncode
1004
1107
self.last_checker_signal = None
1005
1108
if self.last_checker_status == 0:
1006
logger.info("Checker for %(name)s succeeded",
1007
vars(self))
1109
log.info("Checker for %(name)s succeeded", vars(self))
1008
1110
self.checked_ok()
1009
1111
else:
1010
logger.info("Checker for %(name)s failed", vars(self))
1112
log.info("Checker for %(name)s failed", vars(self))
1011
1113
else:
1012
1114
self.last_checker_status = -1
1013
1115
self.last_checker_signal = -returncode
1014
logger.warning("Checker for %(name)s crashed?",
1015
vars(self))
1116
log.warning("Checker for %(name)s crashed?", vars(self))
1016
1117
return False
1017
1118
1018
1119
def checked_ok(self):
1052
1153
# should be.
1053
1154
1054
1155
if self.checker is not None and not self.checker.is_alive():
1055
logger.warning("Checker was not alive; joining")
1156
log.warning("Checker was not alive; joining")
1056
1157
self.checker.join()
1057
1158
self.checker = None
1058
1159
# Start a new checker if needed
1059
1160
if self.checker is None:
1060
1161
# Escape attributes for the shell
1061
1162
escaped_attrs = {
1062
attr: re.escape(str(getattr(self, attr)))
1163
attr: shlex.quote(str(getattr(self, attr)))
1063
1164
for attr in self.runtime_expansions}
1064
1165
try:
1065
1166
command = self.checker_command % escaped_attrs
1066
1167
except TypeError as error:
1067
logger.error('Could not format string "%s"',
1068
self.checker_command,
1069
exc_info=error)
1168
log.error('Could not format string "%s"',
1169
self.checker_command, exc_info=error)
1070
1170
return True # Try again later
1071
1171
self.current_checker_command = command
1072
logger.info("Starting checker %r for %s", command,
1073
self.name)
1172
log.info("Starting checker %r for %s", command, self.name)
1074
1173
# We don't need to redirect stdout and stderr, since
1075
1174
# in normal mode, that is already done by daemon(),
1076
1175
# and in debug mode we don't want to. (Stdin is
1092
1191
kwargs=popen_args)
1093
1192
self.checker.start()
1094
1193
self.checker_callback_tag = GLib.io_add_watch(
1095
pipe[0].fileno(), GLib.IO_IN,
1194
GLib.IOChannel.unix_new(pipe[0].fileno()),
1195
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1096
1196
self.checker_callback, pipe[0], command)
1097
1197
# Re-run this periodically if run by GLib.timeout_add
1098
1198
return True
1104
1204
self.checker_callback_tag = None
1105
1205
if getattr(self, "checker", None) is None:
1106
1206
return
1107
logger.debug("Stopping checker for %(name)s", vars(self))
1207
log.debug("Stopping checker for %(name)s", vars(self))
1108
1208
self.checker.terminate()
1109
1209
self.checker = None
1110
1210
1137
1237
func._dbus_name = func.__name__
1138
1238
if func._dbus_name.endswith("_dbus_property"):
1139
1239
func._dbus_name = func._dbus_name[:-14]
1140
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1240
func._dbus_get_args_options = {"byte_arrays": byte_arrays}
1141
1241
return func
1142
1242
1143
1243
return decorator
1232
1332
1233
1333
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1234
1334
out_signature="s",
1235
path_keyword='object_path',
1236
connection_keyword='connection')
1335
path_keyword="object_path",
1336
connection_keyword="connection")
1237
1337
def Introspect(self, object_path, connection):
1238
1338
"""Overloading of standard D-Bus method.
1239
1339
1288
1388
document.unlink()
1289
1389
except (AttributeError, xml.dom.DOMException,
1290
1390
xml.parsers.expat.ExpatError) as error:
1291
logger.error("Failed to override Introspection method",
1292
exc_info=error)
1391
log.error("Failed to override Introspection method",
1392
exc_info=error)
1293
1393
return xmlstring
1294
1394
1295
1395
1353
1453
raise ValueError("Byte arrays not supported for non-"
1354
1454
"'ay' signature {!r}"
1355
1455
.format(prop._dbus_signature))
1356
value = dbus.ByteArray(b''.join(chr(byte)
1357
for byte in value))
1456
value = dbus.ByteArray(bytes(value))
1358
1457
prop(value)
1359
1458
1360
1459
@dbus.service.method(dbus.PROPERTIES_IFACE,
1393
1492
1394
1493
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1395
1494
out_signature="s",
1396
path_keyword='object_path',
1397
connection_keyword='connection')
1495
path_keyword="object_path",
1496
connection_keyword="connection")
1398
1497
def Introspect(self, object_path, connection):
1399
1498
"""Overloading of standard D-Bus method.
1400
1499
1456
1555
document.unlink()
1457
1556
except (AttributeError, xml.dom.DOMException,
1458
1557
xml.parsers.expat.ExpatError) as error:
1459
logger.error("Failed to override Introspection method",
1460
exc_info=error)
1558
log.error("Failed to override Introspection method",
1559
exc_info=error)
1461
1560
return xmlstring
1462
1561
1463
1562
1495
1594
1496
1595
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1497
1596
out_signature="s",
1498
path_keyword='object_path',
1499
connection_keyword='connection')
1597
path_keyword="object_path",
1598
connection_keyword="connection")
1500
1599
def Introspect(self, object_path, connection):
1501
1600
"""Overloading of standard D-Bus method.
1502
1601
1527
1626
document.unlink()
1528
1627
except (AttributeError, xml.dom.DOMException,
1529
1628
xml.parsers.expat.ExpatError) as error:
1530
logger.error("Failed to override Introspection method",
1531
exc_info=error)
1629
log.error("Failed to override Introspection method",
1630
exc_info=error)
1532
1631
return xmlstring
1533
1632
1534
1633
1998
2097
def Name_dbus_property(self):
1999
2098
return dbus.String(self.name)
2000
2099
2100
# KeyID - property
2101
@dbus_annotations(
2102
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2103
@dbus_service_property(_interface, signature="s", access="read")
2104
def KeyID_dbus_property(self):
2105
return dbus.String(self.key_id)
2106
2001
2107
# Fingerprint - property
2002
2108
@dbus_annotations(
2003
2109
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2158
2264
del _interface
2159
2265
2160
2266
2161
class ProxyClient(object):
2162
def __init__(self, child_pipe, fpr, address):
2267
class ProxyClient:
2268
def __init__(self, child_pipe, key_id, fpr, address):
2163
2269
self._pipe = child_pipe
2164
self._pipe.send(('init', fpr, address))
2270
self._pipe.send(("init", key_id, fpr, address))
2165
2271
if not self._pipe.recv():
2166
raise KeyError(fpr)
2272
raise KeyError(key_id or fpr)
2167
2273
2168
2274
def __getattribute__(self, name):
2169
if name == '_pipe':
2275
if name == "_pipe":
2170
2276
return super(ProxyClient, self).__getattribute__(name)
2171
self._pipe.send(('getattr', name))
2277
self._pipe.send(("getattr", name))
2172
2278
data = self._pipe.recv()
2173
if data[0] == 'data':
2279
if data[0] == "data":
2174
2280
return data[1]
2175
if data[0] == 'function':
2281
if data[0] == "function":
2176
2282
2177
2283
def func(*args, **kwargs):
2178
self._pipe.send(('funcall', name, args, kwargs))
2284
self._pipe.send(("funcall", name, args, kwargs))
2179
2285
return self._pipe.recv()[1]
2180
2286
2181
2287
return func
2182
2288
2183
2289
def __setattr__(self, name, value):
2184
if name == '_pipe':
2290
if name == "_pipe":
2185
2291
return super(ProxyClient, self).__setattr__(name, value)
2186
self._pipe.send(('setattr', name, value))
2292
self._pipe.send(("setattr", name, value))
2187
2293
2188
2294
2189
2295
class ClientHandler(socketserver.BaseRequestHandler, object):
2194
2300
2195
2301
def handle(self):
2196
2302
with contextlib.closing(self.server.child_pipe) as child_pipe:
2197
logger.info("TCP connection from: %s",
2198
str(self.client_address))
2199
logger.debug("Pipe FD: %d",
2200
self.server.child_pipe.fileno())
2303
log.info("TCP connection from: %s",
2304
str(self.client_address))
2305
log.debug("Pipe FD: %d", self.server.child_pipe.fileno())
2201
2306
2202
2307
session = gnutls.ClientSession(self.request)
2203
2308
2204
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2309
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2205
2310
# "+AES-256-CBC", "+SHA1",
2206
2311
# "+COMP-NULL", "+CTYPE-OPENPGP",
2207
2312
# "+DHE-DSS"))
2209
2314
priority = self.server.gnutls_priority
2210
2315
if priority is None:
2211
2316
priority = "NORMAL"
2212
gnutls.priority_set_direct(session._c_object,
2213
priority.encode("utf-8"),
2214
None)
2317
gnutls.priority_set_direct(session,
2318
priority.encode("utf-8"), None)
2215
2319
2216
2320
# Start communication using the Mandos protocol
2217
2321
# Get protocol number
2218
2322
line = self.request.makefile().readline()
2219
logger.debug("Protocol version: %r", line)
2323
log.debug("Protocol version: %r", line)
2220
2324
try:
2221
2325
if int(line.strip().split()[0]) > 1:
2222
2326
raise RuntimeError(line)
2223
2327
except (ValueError, IndexError, RuntimeError) as error:
2224
logger.error("Unknown protocol version: %s", error)
2328
log.error("Unknown protocol version: %s", error)
2225
2329
return
2226
2330
2227
2331
# Start GnuTLS connection
2228
2332
try:
2229
2333
session.handshake()
2230
2334
except gnutls.Error as error:
2231
logger.warning("Handshake failed: %s", error)
2335
log.warning("Handshake failed: %s", error)
2232
2336
# Do not run session.bye() here: the session is not
2233
2337
# established. Just abandon the request.
2234
2338
return
2235
logger.debug("Handshake succeeded")
2339
log.debug("Handshake succeeded")
2236
2340
2237
2341
approval_required = False
2238
2342
try:
2239
try:
2240
fpr = self.fingerprint(
2241
self.peer_certificate(session))
2242
except (TypeError, gnutls.Error) as error:
2243
logger.warning("Bad certificate: %s", error)
2244
return
2245
logger.debug("Fingerprint: %s", fpr)
2246
2247
try:
2248
client = ProxyClient(child_pipe, fpr,
2343
if gnutls.has_rawpk:
2344
fpr = b""
2345
try:
2346
key_id = self.key_id(
2347
self.peer_certificate(session))
2348
except (TypeError, gnutls.Error) as error:
2349
log.warning("Bad certificate: %s", error)
2350
return
2351
log.debug("Key ID: %s",
2352
key_id.decode("utf-8",
2353
errors="replace"))
2354
2355
else:
2356
key_id = b""
2357
try:
2358
fpr = self.fingerprint(
2359
self.peer_certificate(session))
2360
except (TypeError, gnutls.Error) as error:
2361
log.warning("Bad certificate: %s", error)
2362
return
2363
log.debug("Fingerprint: %s", fpr)
2364
2365
try:
2366
client = ProxyClient(child_pipe, key_id, fpr,
2249
2367
self.client_address)
2250
2368
except KeyError:
2251
2369
return
2257
2375
2258
2376
while True:
2259
2377
if not client.enabled:
2260
logger.info("Client %s is disabled",
2261
client.name)
2378
log.info("Client %s is disabled", client.name)
2262
2379
if self.server.use_dbus:
2263
2380
# Emit D-Bus signal
2264
2381
client.Rejected("Disabled")
2268
2385
# We are approved or approval is disabled
2269
2386
break
2270
2387
elif client.approved is None:
2271
logger.info("Client %s needs approval",
2272
client.name)
2388
log.info("Client %s needs approval",
2389
client.name)
2273
2390
if self.server.use_dbus:
2274
2391
# Emit D-Bus signal
2275
2392
client.NeedApproval(
2276
2393
client.approval_delay.total_seconds()
2277
2394
* 1000, client.approved_by_default)
2278
2395
else:
2279
logger.warning("Client %s was not approved",
2280
client.name)
2396
log.warning("Client %s was not approved",
2397
client.name)
2281
2398
if self.server.use_dbus:
2282
2399
# Emit D-Bus signal
2283
2400
client.Rejected("Denied")
2291
2408
time2 = datetime.datetime.now()
2292
2409
if (time2 - time) >= delay:
2293
2410
if not client.approved_by_default:
2294
logger.warning("Client %s timed out while"
2295
" waiting for approval",
2296
client.name)
2411
log.warning("Client %s timed out while"
2412
" waiting for approval",
2413
client.name)
2297
2414
if self.server.use_dbus:
2298
2415
# Emit D-Bus signal
2299
2416
client.Rejected("Approval timed out")
2306
2423
try:
2307
2424
session.send(client.secret)
2308
2425
except gnutls.Error as error:
2309
logger.warning("gnutls send failed",
2310
exc_info=error)
2426
log.warning("gnutls send failed", exc_info=error)
2311
2427
return
2312
2428
2313
logger.info("Sending secret to %s", client.name)
2429
log.info("Sending secret to %s", client.name)
2314
2430
# bump the timeout using extended_timeout
2315
2431
client.bump_timeout(client.extended_timeout)
2316
2432
if self.server.use_dbus:
2323
2439
try:
2324
2440
session.bye()
2325
2441
except gnutls.Error as error:
2326
logger.warning("GnuTLS bye failed",
2327
exc_info=error)
2442
log.warning("GnuTLS bye failed", exc_info=error)
2328
2443
2329
2444
@staticmethod
2330
2445
def peer_certificate(session):
2331
"Return the peer's OpenPGP certificate as a bytestring"
2332
# If not an OpenPGP certificate...
2333
if (gnutls.certificate_type_get(session._c_object)
2334
!= gnutls.CRT_OPENPGP):
2446
"Return the peer's certificate as a bytestring"
2447
try:
2448
cert_type = gnutls.certificate_type_get2(
2449
session, gnutls.CTYPE_PEERS)
2450
except AttributeError:
2451
cert_type = gnutls.certificate_type_get(session)
2452
if gnutls.has_rawpk:
2453
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2454
else:
2455
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2456
# If not a valid certificate type...
2457
if cert_type not in valid_cert_types:
2458
log.info("Cert type %r not in %r", cert_type,
2459
valid_cert_types)
2335
2460
# ...return invalid data
2336
2461
return b""
2337
2462
list_size = ctypes.c_uint(1)
2338
2463
cert_list = (gnutls.certificate_get_peers
2339
(session._c_object, ctypes.byref(list_size)))
2464
(session, ctypes.byref(list_size)))
2340
2465
if not bool(cert_list) and list_size.value != 0:
2341
2466
raise gnutls.Error("error getting peer certificate")
2342
2467
if list_size.value == 0:
2345
2470
return ctypes.string_at(cert.data, cert.size)
2346
2471
2347
2472
@staticmethod
2473
def key_id(certificate):
2474
"Convert a certificate bytestring to a hexdigit key ID"
2475
# New GnuTLS "datum" with the public key
2476
datum = gnutls.datum_t(
2477
ctypes.cast(ctypes.c_char_p(certificate),
2478
ctypes.POINTER(ctypes.c_ubyte)),
2479
ctypes.c_uint(len(certificate)))
2480
# XXX all these need to be created in the gnutls "module"
2481
# New empty GnuTLS certificate
2482
pubkey = gnutls.pubkey_t()
2483
gnutls.pubkey_init(ctypes.byref(pubkey))
2484
# Import the raw public key into the certificate
2485
gnutls.pubkey_import(pubkey,
2486
ctypes.byref(datum),
2487
gnutls.X509_FMT_DER)
2488
# New buffer for the key ID
2489
buf = ctypes.create_string_buffer(32)
2490
buf_len = ctypes.c_size_t(len(buf))
2491
# Get the key ID from the raw public key into the buffer
2492
gnutls.pubkey_get_key_id(
2493
pubkey,
2494
gnutls.KEYID_USE_SHA256,
2495
ctypes.cast(ctypes.byref(buf),
2496
ctypes.POINTER(ctypes.c_ubyte)),
2497
ctypes.byref(buf_len))
2498
# Deinit the certificate
2499
gnutls.pubkey_deinit(pubkey)
2500
2501
# Convert the buffer to a Python bytestring
2502
key_id = ctypes.string_at(buf, buf_len.value)
2503
# Convert the bytestring to hexadecimal notation
2504
hex_key_id = binascii.hexlify(key_id).upper()
2505
return hex_key_id
2506
2507
@staticmethod
2348
2508
def fingerprint(openpgp):
2349
2509
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2350
2510
# New GnuTLS "datum" with the OpenPGP public key
2364
2524
ctypes.byref(crtverify))
2365
2525
if crtverify.value != 0:
2366
2526
gnutls.openpgp_crt_deinit(crt)
2367
raise gnutls.CertificateSecurityError("Verify failed")
2527
raise gnutls.CertificateSecurityError(code
2528
=crtverify.value)
2368
2529
# New buffer for the fingerprint
2369
2530
buf = ctypes.create_string_buffer(20)
2370
2531
buf_len = ctypes.c_size_t()
2380
2541
return hex_fpr
2381
2542
2382
2543
2383
class MultiprocessingMixIn(object):
2544
class MultiprocessingMixIn:
2384
2545
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2385
2546
2386
2547
def sub_process_main(self, request, address):
2398
2559
return proc
2399
2560
2400
2561
2401
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2562
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2402
2563
""" adds a pipe to the MixIn """
2403
2564
2404
2565
def process_request(self, request, client_address):
2419
2580
2420
2581
2421
2582
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2422
socketserver.TCPServer, object):
2423
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2583
socketserver.TCPServer):
2584
"""IPv6-capable TCP server. Accepts None as address and/or port
2424
2585
2425
2586
Attributes:
2426
2587
enabled: Boolean; whether this server is activated yet
2477
2638
if SO_BINDTODEVICE is None:
2478
2639
# Fall back to a hard-coded value which seems to be
2479
2640
# common enough.
2480
logger.warning("SO_BINDTODEVICE not found, trying 25")
2641
log.warning("SO_BINDTODEVICE not found, trying 25")
2481
2642
SO_BINDTODEVICE = 25
2482
2643
try:
2483
2644
self.socket.setsockopt(
2485
2646
(self.interface + "\0").encode("utf-8"))
2486
2647
except socket.error as error:
2487
2648
if error.errno == errno.EPERM:
2488
logger.error("No permission to bind to"
2489
" interface %s", self.interface)
2649
log.error("No permission to bind to interface %s",
2650
self.interface)
2490
2651
elif error.errno == errno.ENOPROTOOPT:
2491
logger.error("SO_BINDTODEVICE not available;"
2492
" cannot bind to interface %s",
2493
self.interface)
2652
log.error("SO_BINDTODEVICE not available; cannot"
2653
" bind to interface %s", self.interface)
2494
2654
elif error.errno == errno.ENODEV:
2495
logger.error("Interface %s does not exist,"
2496
" cannot bind", self.interface)
2655
log.error("Interface %s does not exist, cannot"
2656
" bind", self.interface)
2497
2657
else:
2498
2658
raise
2499
2659
# Only bind(2) the socket if we really need to.
2500
2660
if self.server_address[0] or self.server_address[1]:
2661
if self.server_address[1]:
2662
self.allow_reuse_address = True
2501
2663
if not self.server_address[0]:
2502
2664
if self.address_family == socket.AF_INET6:
2503
2665
any_address = "::" # in6addr_any
2556
2718
def add_pipe(self, parent_pipe, proc):
2557
2719
# Call "handle_ipc" for both data and EOF events
2558
2720
GLib.io_add_watch(
2559
parent_pipe.fileno(),
2560
GLib.IO_IN | GLib.IO_HUP,
2721
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2722
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2561
2723
functools.partial(self.handle_ipc,
2562
2724
parent_pipe=parent_pipe,
2563
2725
proc=proc))
2576
2738
request = parent_pipe.recv()
2577
2739
command = request[0]
2578
2740
2579
if command == 'init':
2580
fpr = request[1]
2581
address = request[2]
2741
if command == "init":
2742
key_id = request[1].decode("ascii")
2743
fpr = request[2].decode("ascii")
2744
address = request[3]
2582
2745
2583
2746
for c in self.clients.values():
2584
if c.fingerprint == fpr:
2747
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2748
"27AE41E4649B934CA495991B7852B855"):
2749
continue
2750
if key_id and c.key_id == key_id:
2751
client = c
2752
break
2753
if fpr and c.fingerprint == fpr:
2585
2754
client = c
2586
2755
break
2587
2756
else:
2588
logger.info("Client not found for fingerprint: %s, ad"
2589
"dress: %s", fpr, address)
2757
log.info("Client not found for key ID: %s, address:"
2758
" %s", key_id or fpr, address)
2590
2759
if self.use_dbus:
2591
2760
# Emit D-Bus signal
2592
mandos_dbus_service.ClientNotFound(fpr,
2761
mandos_dbus_service.ClientNotFound(key_id or fpr,
2593
2762
address[0])
2594
2763
parent_pipe.send(False)
2595
2764
return False
2596
2765
2597
2766
GLib.io_add_watch(
2598
parent_pipe.fileno(),
2599
GLib.IO_IN | GLib.IO_HUP,
2767
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2768
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2600
2769
functools.partial(self.handle_ipc,
2601
2770
parent_pipe=parent_pipe,
2602
2771
proc=proc,
2605
2774
# remove the old hook in favor of the new above hook on
2606
2775
# same fileno
2607
2776
return False
2608
if command == 'funcall':
2777
if command == "funcall":
2609
2778
funcname = request[1]
2610
2779
args = request[2]
2611
2780
kwargs = request[3]
2612
2781
2613
parent_pipe.send(('data', getattr(client_object,
2782
parent_pipe.send(("data", getattr(client_object,
2614
2783
funcname)(*args,
2615
2784
**kwargs)))
2616
2785
2617
if command == 'getattr':
2786
if command == "getattr":
2618
2787
attrname = request[1]
2619
2788
if isinstance(client_object.__getattribute__(attrname),
2620
collections.Callable):
2621
parent_pipe.send(('function', ))
2789
collections.abc.Callable):
2790
parent_pipe.send(("function", ))
2622
2791
else:
2623
2792
parent_pipe.send((
2624
'data', client_object.__getattribute__(attrname)))
2793
"data", client_object.__getattribute__(attrname)))
2625
2794
2626
if command == 'setattr':
2795
if command == "setattr":
2627
2796
attrname = request[1]
2628
2797
value = request[2]
2629
2798
setattr(client_object, attrname, value)
2634
2803
def rfc3339_duration_to_delta(duration):
2635
2804
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2636
2805
2637
>>> rfc3339_duration_to_delta("P7D")
2638
datetime.timedelta(7)
2639
>>> rfc3339_duration_to_delta("PT60S")
2640
datetime.timedelta(0, 60)
2641
>>> rfc3339_duration_to_delta("PT60M")
2642
datetime.timedelta(0, 3600)
2643
>>> rfc3339_duration_to_delta("PT24H")
2644
datetime.timedelta(1)
2645
>>> rfc3339_duration_to_delta("P1W")
2646
datetime.timedelta(7)
2647
>>> rfc3339_duration_to_delta("PT5M30S")
2648
datetime.timedelta(0, 330)
2649
>>> rfc3339_duration_to_delta("P1DT3M20S")
2650
datetime.timedelta(1, 200)
2806
>>> timedelta = datetime.timedelta
2807
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2808
True
2809
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2810
True
2811
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2812
True
2813
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2814
True
2815
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2816
True
2817
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2818
True
2819
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2820
True
2821
>>> del timedelta
2651
2822
"""
2652
2823
2653
2824
# Parsing an RFC 3339 duration with regular expressions is not
2733
2904
def string_to_delta(interval):
2734
2905
"""Parse a string and return a datetime.timedelta
2735
2906
2736
>>> string_to_delta('7d')
2737
datetime.timedelta(7)
2738
>>> string_to_delta('60s')
2739
datetime.timedelta(0, 60)
2740
>>> string_to_delta('60m')
2741
datetime.timedelta(0, 3600)
2742
>>> string_to_delta('24h')
2743
datetime.timedelta(1)
2744
>>> string_to_delta('1w')
2745
datetime.timedelta(7)
2746
>>> string_to_delta('5m 30s')
2747
datetime.timedelta(0, 330)
2907
>>> string_to_delta("7d") == datetime.timedelta(7)
2908
True
2909
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2910
True
2911
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2912
True
2913
>>> string_to_delta("24h") == datetime.timedelta(1)
2914
True
2915
>>> string_to_delta("1w") == datetime.timedelta(7)
2916
True
2917
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
2918
True
2748
2919
"""
2749
2920
2750
2921
try:
2852
3023
2853
3024
options = parser.parse_args()
2854
3025
2855
if options.check:
2856
import doctest
2857
fail_count, test_count = doctest.testmod()
2858
sys.exit(os.EX_OK if fail_count == 0 else 1)
2859
2860
3026
# Default values for config file for server-global settings
3027
if gnutls.has_rawpk:
3028
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3029
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3030
else:
3031
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3032
":+SIGN-DSA-SHA256")
2861
3033
server_defaults = {"interface": "",
2862
3034
"address": "",
2863
3035
"port": "",
2864
3036
"debug": "False",
2865
"priority":
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
3037
"priority": priority,
2868
3038
"servicename": "Mandos",
2869
3039
"use_dbus": "True",
2870
3040
"use_ipv6": "True",
2875
3045
"foreground": "False",
2876
3046
"zeroconf": "True",
2877
3047
}
3048
del priority
2878
3049
2879
3050
# Parse config file for server-global settings
2880
server_config = configparser.SafeConfigParser(server_defaults)
3051
server_config = configparser.ConfigParser(server_defaults)
2881
3052
del server_defaults
2882
3053
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2883
# Convert the SafeConfigParser object to a dict
3054
# Convert the ConfigParser object to a dict
2884
3055
server_settings = server_config.defaults()
2885
3056
# Use the appropriate methods on the non-string config options
2886
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3057
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3058
"foreground", "zeroconf"):
2887
3059
server_settings[option] = server_config.getboolean("DEFAULT",
2888
3060
option)
2889
3061
if server_settings["port"]:
2952
3124
2953
3125
if server_settings["servicename"] != "Mandos":
2954
3126
syslogger.setFormatter(
2955
logging.Formatter('Mandos ({}) [%(process)d]:'
2956
' %(levelname)s: %(message)s'.format(
3127
logging.Formatter("Mandos ({}) [%(process)d]:"
3128
" %(levelname)s: %(message)s".format(
2957
3129
server_settings["servicename"])))
2958
3130
2959
3131
# Parse config file with clients
2960
client_config = configparser.SafeConfigParser(Client
2961
.client_defaults)
3132
client_config = configparser.ConfigParser(Client.client_defaults)
2962
3133
client_config.read(os.path.join(server_settings["configdir"],
2963
3134
"clients.conf"))
2964
3135
2984
3155
try:
2985
3156
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2986
3157
except IOError as e:
2987
logger.error("Could not open file %r", pidfilename,
2988
exc_info=e)
3158
log.error("Could not open file %r", pidfilename,
3159
exc_info=e)
2989
3160
2990
3161
for name, group in (("_mandos", "_mandos"),
2991
3162
("mandos", "mandos"),
3002
3173
try:
3003
3174
os.setgid(gid)
3004
3175
os.setuid(uid)
3005
if debug:
3006
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3007
gid))
3176
log.debug("Did setuid/setgid to %s:%s", uid, gid)
3008
3177
except OSError as error:
3009
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3010
.format(uid, gid, os.strerror(error.errno)))
3178
log.warning("Failed to setuid/setgid to %s:%s: %s", uid, gid,
3179
os.strerror(error.errno))
3011
3180
if error.errno != errno.EPERM:
3012
3181
raise
3013
3182
3020
3189
3021
3190
@gnutls.log_func
3022
3191
def debug_gnutls(level, string):
3023
logger.debug("GnuTLS: %s", string[:-1])
3192
log.debug("GnuTLS: %s",
3193
string[:-1].decode("utf-8", errors="replace"))
3024
3194
3025
3195
gnutls.global_set_log_function(debug_gnutls)
3026
3196
3035
3205
# Close all input and output, do double fork, etc.
3036
3206
daemon()
3037
3207
3038
# multiprocessing will use threads, so before we use GLib we need
3039
# to inform GLib that threads will be used.
3040
GLib.threads_init()
3208
if gi.version_info < (3, 10, 2):
3209
# multiprocessing will use threads, so before we use GLib we
3210
# need to inform GLib that threads will be used.
3211
GLib.threads_init()
3041
3212
3042
3213
global main_loop
3043
3214
# From the Avahi example code
3054
3225
"se.bsnet.fukt.Mandos", bus,
3055
3226
do_not_queue=True)
3056
3227
except dbus.exceptions.DBusException as e:
3057
logger.error("Disabling D-Bus:", exc_info=e)
3228
log.error("Disabling D-Bus:", exc_info=e)
3058
3229
use_dbus = False
3059
3230
server_settings["use_dbus"] = False
3060
3231
tcp_server.use_dbus = False
3119
3290
if isinstance(s, bytes)
3120
3291
else s) for s in
3121
3292
value["client_structure"]]
3122
# .name & .host
3123
for k in ("name", "host"):
3293
# .name, .host, and .checker_command
3294
for k in ("name", "host", "checker_command"):
3124
3295
if isinstance(value[k], bytes):
3125
3296
value[k] = value[k].decode("utf-8")
3297
if "key_id" not in value:
3298
value["key_id"] = ""
3299
elif "fingerprint" not in value:
3300
value["fingerprint"] = ""
3126
3301
# old_client_settings
3127
3302
# .keys()
3128
3303
old_client_settings = {
3132
3307
for key, value in
3133
3308
bytes_old_client_settings.items()}
3134
3309
del bytes_old_client_settings
3135
# .host
3310
# .host and .checker_command
3136
3311
for value in old_client_settings.values():
3137
if isinstance(value["host"], bytes):
3138
value["host"] = (value["host"]
3139
.decode("utf-8"))
3312
for attribute in ("host", "checker_command"):
3313
if isinstance(value[attribute], bytes):
3314
value[attribute] = (value[attribute]
3315
.decode("utf-8"))
3140
3316
os.remove(stored_state_path)
3141
3317
except IOError as e:
3142
3318
if e.errno == errno.ENOENT:
3143
logger.warning("Could not load persistent state:"
3144
" {}".format(os.strerror(e.errno)))
3319
log.warning("Could not load persistent state:"
3320
" %s", os.strerror(e.errno))
3145
3321
else:
3146
logger.critical("Could not load persistent state:",
3147
exc_info=e)
3322
log.critical("Could not load persistent state:",
3323
exc_info=e)
3148
3324
raise
3149
3325
except EOFError as e:
3150
logger.warning("Could not load persistent state: "
3151
"EOFError:",
3152
exc_info=e)
3326
log.warning("Could not load persistent state: EOFError:",
3327
exc_info=e)
3153
3328
3154
3329
with PGPEngine() as pgp:
3155
3330
for client_name, client in clients_data.items():
3182
3357
if client["enabled"]:
3183
3358
if datetime.datetime.utcnow() >= client["expires"]:
3184
3359
if not client["last_checked_ok"]:
3185
logger.warning(
3186
"disabling client {} - Client never "
3187
"performed a successful checker".format(
3188
client_name))
3360
log.warning("disabling client %s - Client"
3361
" never performed a successful"
3362
" checker", client_name)
3189
3363
client["enabled"] = False
3190
3364
elif client["last_checker_status"] != 0:
3191
logger.warning(
3192
"disabling client {} - Client last"
3193
" checker failed with error code"
3194
" {}".format(
3195
client_name,
3196
client["last_checker_status"]))
3365
log.warning("disabling client %s - Client"
3366
" last checker failed with error"
3367
" code %s", client_name,
3368
client["last_checker_status"])
3197
3369
client["enabled"] = False
3198
3370
else:
3199
3371
client["expires"] = (
3200
3372
datetime.datetime.utcnow()
3201
3373
+ client["timeout"])
3202
logger.debug("Last checker succeeded,"
3203
" keeping {} enabled".format(
3204
client_name))
3374
log.debug("Last checker succeeded, keeping %s"
3375
" enabled", client_name)
3205
3376
try:
3206
3377
client["secret"] = pgp.decrypt(
3207
3378
client["encrypted_secret"],
3208
3379
client_settings[client_name]["secret"])
3209
3380
except PGPError:
3210
3381
# If decryption fails, we use secret from new settings
3211
logger.debug("Failed to decrypt {} old secret".format(
3212
client_name))
3382
log.debug("Failed to decrypt %s old secret",
3383
client_name)
3213
3384
client["secret"] = (client_settings[client_name]
3214
3385
["secret"])
3215
3386
3229
3400
server_settings=server_settings)
3230
3401
3231
3402
if not tcp_server.clients:
3232
logger.warning("No clients defined")
3403
log.warning("No clients defined")
3233
3404
3234
3405
if not foreground:
3235
3406
if pidfile is not None:
3238
3409
with pidfile:
3239
3410
print(pid, file=pidfile)
3240
3411
except IOError:
3241
logger.error("Could not write to file %r with PID %d",
3242
pidfilename, pid)
3412
log.error("Could not write to file %r with PID %d",
3413
pidfilename, pid)
3243
3414
del pidfile
3244
3415
del pidfilename
3245
3416
3265
3436
pass
3266
3437
3267
3438
@dbus.service.signal(_interface, signature="ss")
3268
def ClientNotFound(self, fingerprint, address):
3439
def ClientNotFound(self, key_id, address):
3269
3440
"D-Bus signal"
3270
3441
pass
3271
3442
3395
3566
3396
3567
try:
3397
3568
with tempfile.NamedTemporaryFile(
3398
mode='wb',
3569
mode="wb",
3399
3570
suffix=".pickle",
3400
prefix='clients-',
3571
prefix="clients-",
3401
3572
dir=os.path.dirname(stored_state_path),
3402
3573
delete=False) as stored_state:
3403
3574
pickle.dump((clients, client_settings), stored_state,
3411
3582
except NameError:
3412
3583
pass
3413
3584
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
3414
logger.warning("Could not save persistent state: {}"
3415
.format(os.strerror(e.errno)))
3585
log.warning("Could not save persistent state: %s",
3586
os.strerror(e.errno))
3416
3587
else:
3417
logger.warning("Could not save persistent state:",
3418
exc_info=e)
3588
log.warning("Could not save persistent state:",
3589
exc_info=e)
3419
3590
raise
3420
3591
3421
3592
# Delete all clients, and settings from config
3447
3618
if zeroconf:
3448
3619
service.port = tcp_server.socket.getsockname()[1]
3449
3620
if use_ipv6:
3450
logger.info("Now listening on address %r, port %d,"
3451
" flowinfo %d, scope_id %d",
3452
*tcp_server.socket.getsockname())
3621
log.info("Now listening on address %r, port %d, flowinfo %d,"
3622
" scope_id %d", *tcp_server.socket.getsockname())
3453
3623
else: # IPv4
3454
logger.info("Now listening on address %r, port %d",
3455
*tcp_server.socket.getsockname())
3624
log.info("Now listening on address %r, port %d",
3625
*tcp_server.socket.getsockname())
3456
3626
3457
3627
# service.interface = tcp_server.socket.getsockname()[3]
3458
3628
3462
3632
try:
3463
3633
service.activate()
3464
3634
except dbus.exceptions.DBusException as error:
3465
logger.critical("D-Bus Exception", exc_info=error)
3635
log.critical("D-Bus Exception", exc_info=error)
3466
3636
cleanup()
3467
3637
sys.exit(1)
3468
3638
# End of Avahi example code
3469
3639
3470
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3471
lambda *args, **kwargs:
3472
(tcp_server.handle_request
3473
(*args[2:], **kwargs) or True))
3640
GLib.io_add_watch(
3641
GLib.IOChannel.unix_new(tcp_server.fileno()),
3642
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3643
lambda *args, **kwargs: (tcp_server.handle_request
3644
(*args[2:], **kwargs) or True))
3474
3645
3475
logger.debug("Starting main loop")
3646
log.debug("Starting main loop")
3476
3647
main_loop.run()
3477
3648
except AvahiError as error:
3478
logger.critical("Avahi Error", exc_info=error)
3649
log.critical("Avahi Error", exc_info=error)
3479
3650
cleanup()
3480
3651
sys.exit(1)
3481
3652
except KeyboardInterrupt:
3482
3653
if debug:
3483
3654
print("", file=sys.stderr)
3484
logger.debug("Server received KeyboardInterrupt")
3485
logger.debug("Server exiting")
3655
log.debug("Server received KeyboardInterrupt")
3656
log.debug("Server exiting")
3486
3657
# Must run before the D-Bus bus name gets deregistered
3487
3658
cleanup()
3488
3659
3489
3490
if __name__ == '__main__':
3491
main()
3660
3661
def parse_test_args():
3662
# type: () -> argparse.Namespace
3663
parser = argparse.ArgumentParser(add_help=False)
3664
parser.add_argument("--check", action="store_true")
3665
parser.add_argument("--prefix", )
3666
args, unknown_args = parser.parse_known_args()
3667
if args.check:
3668
# Remove test options from sys.argv
3669
sys.argv[1:] = unknown_args
3670
return args
3671
3672
# Add all tests from doctest strings
3673
def load_tests(loader, tests, none):
3674
import doctest
3675
tests.addTests(doctest.DocTestSuite())
3676
return tests
3677
3678
if __name__ == "__main__":
3679
options = parse_test_args()
3680
try:
3681
if options.check:
3682
extra_test_prefix = options.prefix
3683
if extra_test_prefix is not None:
3684
if not (unittest.main(argv=[""], exit=False)
3685
.result.wasSuccessful()):
3686
sys.exit(1)
3687
class ExtraTestLoader(unittest.TestLoader):
3688
testMethodPrefix = extra_test_prefix
3689
# Call using ./scriptname --test [--verbose]
3690
unittest.main(argv=[""], testLoader=ExtraTestLoader())
3691
else:
3692
unittest.main(argv=[""])
3693
else:
3694
main()
3695
finally:
3696
logging.shutdown()
3697
3698
# Local Variables:
3699
# run-tests:
3700
# (lambda (&optional extra)
3701
# (if (not (funcall run-tests-in-test-buffer default-directory
3702
# extra))
3703
# (funcall show-test-buffer-in-test-window)
3704
# (funcall remove-test-window)
3705
# (if extra (message "Extra tests run successfully!"))))
3706
# run-tests-in-test-buffer:
3707
# (lambda (dir &optional extra)
3708
# (with-current-buffer (get-buffer-create "*Test*")
3709
# (setq buffer-read-only nil
3710
# default-directory dir)
3711
# (erase-buffer)
3712
# (compilation-mode))
3713
# (let ((process-result
3714
# (let ((inhibit-read-only t))
3715
# (process-file-shell-command
3716
# (funcall get-command-line extra) nil "*Test*"))))
3717
# (and (numberp process-result)
3718
# (= process-result 0))))
3719
# get-command-line:
3720
# (lambda (&optional extra)
3721
# (let ((quoted-script
3722
# (shell-quote-argument (funcall get-script-name))))
3723
# (format
3724
# (concat "%s --check" (if extra " --prefix=atest" ""))
3725
# quoted-script)))
3726
# get-script-name:
3727
# (lambda ()
3728
# (if (fboundp 'file-local-name)
3729
# (file-local-name (buffer-file-name))
3730
# (or (file-remote-p (buffer-file-name) 'localname)
3731
# (buffer-file-name))))
3732
# remove-test-window:
3733
# (lambda ()
3734
# (let ((test-window (get-buffer-window "*Test*")))
3735
# (if test-window (delete-window test-window))))
3736
# show-test-buffer-in-test-window:
3737
# (lambda ()
3738
# (when (not (get-buffer-window-list "*Test*"))
3739
# (setq next-error-last-buffer (get-buffer "*Test*"))
3740
# (let* ((side (if (>= (window-width) 146) 'right 'bottom))
3741
# (display-buffer-overriding-action
3742
# `((display-buffer-in-side-window) (side . ,side)
3743
# (window-height . fit-window-to-buffer)
3744
# (window-width . fit-window-to-buffer))))
3745
# (display-buffer "*Test*"))))
3746
# eval:
3747
# (progn
3748
# (let* ((run-extra-tests (lambda () (interactive)
3749
# (funcall run-tests t)))
3750
# (inner-keymap `(keymap (116 . ,run-extra-tests))) ; t
3751
# (outer-keymap `(keymap (3 . ,inner-keymap)))) ; C-c
3752
# (setq minor-mode-overriding-map-alist
3753
# (cons `(run-tests . ,outer-keymap)
3754
# minor-mode-overriding-map-alist)))
3755
# (add-hook 'after-save-hook run-tests 90 t))
3756
# End:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0