To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.4.138
- compare with another revision
- download diff
- download tarball
- view history from revision 237.4.138
- Committer: Teddy Hogeborn
- Date: 2022-04-25 18:46:48 UTC
- mto: This revision was merged to the branch mainline in revision 1261.
- Revision ID: teddy@recompile.se-20220425184648-w9nas5qn94qcllum
Tags: version-1.8.15-1
Version 1.8.15-1
* Makefile (version): Change to "1.8.15".
* NEWS (Version 1.8.15): Add new entry.
* debian/changelog (1.8.15-1): - '' -
* Makefile (version): Change to "1.8.15".
* NEWS (Version 1.8.15): Add new entry.
* debian/changelog (1.8.15-1): - '' -
- files added:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files removed:
- initramfs-tools-hook-conf
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
1
#!/usr/bin/python3 -bI
2
# -*- coding: utf-8; lexical-binding: t -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
14
# Copyright © 2008-2022 Teddy Hogeborn
15
# Copyright © 2008-2022 Björn Påhlsson
16
16
#
17
17
# This file is part of Mandos.
18
18
#
31
31
#
32
32
# Contact the authors at <mandos@recompile.se>.
33
33
#
34
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
40
39
except ImportError:
41
40
pass
42
41
42
import sys
43
import unittest
44
import argparse
45
import logging
46
import os
43
47
try:
44
48
import SocketServer as socketserver
45
49
except ImportError:
46
50
import socketserver
47
51
import socket
48
import argparse
49
52
import datetime
50
53
import errno
51
54
try:
52
55
import ConfigParser as configparser
53
56
except ImportError:
54
57
import configparser
55
import sys
56
58
import re
57
import os
58
59
import signal
59
60
import subprocess
60
61
import atexit
61
62
import stat
62
import logging
63
63
import logging.handlers
64
64
import pwd
65
65
import contextlib
77
77
import itertools
78
78
import collections
79
79
import codecs
80
import random
81
import shlex
80
82
81
83
import dbus
82
84
import dbus.service
85
import gi
83
86
from gi.repository import GLib
84
87
from dbus.mainloop.glib import DBusGMainLoop
85
88
import ctypes
87
90
import xml.dom.minidom
88
91
import inspect
89
92
93
if sys.version_info.major == 2:
94
__metaclass__ = type
95
str = unicode
96
input = raw_input
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
90
118
# Try to find the value of SO_BINDTODEVICE:
91
119
try:
92
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
112
140
# No value found
113
141
SO_BINDTODEVICE = None
114
142
115
if sys.version_info.major == 2:
116
str = unicode
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
117
145
118
version = "1.7.17"
146
version = "1.8.15"
119
147
stored_state_file = "clients.pickle"
120
148
121
logger = logging.getLogger()
149
log = logging.getLogger(os.path.basename(sys.argv[0]))
150
logging.captureWarnings(True) # Show warnings via the logging system
122
151
syslogger = None
123
152
124
153
try:
160
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
190
address="/dev/log"))
162
191
syslogger.setFormatter(logging.Formatter
163
('Mandos [%(process)d]: %(levelname)s:'
164
' %(message)s'))
165
logger.addHandler(syslogger)
192
("Mandos [%(process)d]: %(levelname)s:"
193
" %(message)s"))
194
log.addHandler(syslogger)
166
195
167
196
if debug:
168
197
console = logging.StreamHandler()
169
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
170
' [%(process)d]:'
171
' %(levelname)s:'
172
' %(message)s'))
173
logger.addHandler(console)
174
logger.setLevel(level)
198
console.setFormatter(logging.Formatter("%(asctime)s %(name)s"
199
" [%(process)d]:"
200
" %(levelname)s:"
201
" %(message)s"))
202
log.addHandler(console)
203
log.setLevel(level)
175
204
176
205
177
206
class PGPError(Exception):
179
208
pass
180
209
181
210
182
class PGPEngine(object):
211
class PGPEngine:
183
212
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
213
185
214
def __init__(self):
189
218
output = subprocess.check_output(["gpgconf"])
190
219
for line in output.splitlines():
191
220
name, text, path = line.split(b":")
192
if name == "gpg":
221
if name == b"gpg":
193
222
self.gpg = path
194
223
break
195
224
except OSError as e:
196
225
if e.errno != errno.ENOENT:
197
226
raise
198
self.gnupgargs = ['--batch',
199
'--homedir', self.tempdir,
200
'--force-mdc',
201
'--quiet']
227
self.gnupgargs = ["--batch",
228
"--homedir", self.tempdir,
229
"--force-mdc",
230
"--quiet"]
202
231
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
204
233
self.gnupgargs.append("--no-use-agent")
205
234
206
235
def __enter__(self):
243
272
dir=self.tempdir) as passfile:
244
273
passfile.write(passphrase)
245
274
passfile.flush()
246
proc = subprocess.Popen([self.gpg, '--symmetric',
247
'--passphrase-file',
275
proc = subprocess.Popen([self.gpg, "--symmetric",
276
"--passphrase-file",
248
277
passfile.name]
249
278
+ self.gnupgargs,
250
279
stdin=subprocess.PIPE,
261
290
dir=self.tempdir) as passfile:
262
291
passfile.write(passphrase)
263
292
passfile.flush()
264
proc = subprocess.Popen([self.gpg, '--decrypt',
265
'--passphrase-file',
293
proc = subprocess.Popen([self.gpg, "--decrypt",
294
"--passphrase-file",
266
295
passfile.name]
267
296
+ self.gnupgargs,
268
297
stdin=subprocess.PIPE,
275
304
276
305
277
306
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
281
309
IF_UNSPEC = -1 # avahi-common/address.h
282
310
PROTO_UNSPEC = -1 # avahi-common/address.h
283
311
PROTO_INET = 0 # avahi-common/address.h
287
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
316
DBUS_PATH_SERVER = "/"
289
317
290
def string_array_to_txt_array(self, t):
318
@staticmethod
319
def string_array_to_txt_array(t):
291
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
321
for s in t), signature="ay")
293
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
298
327
SERVER_RUNNING = 2 # avahi-common/defs.h
299
328
SERVER_COLLISION = 3 # avahi-common/defs.h
300
329
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
330
303
331
304
332
class AvahiError(Exception):
316
344
pass
317
345
318
346
319
class AvahiService(object):
347
class AvahiService:
320
348
"""An Avahi (Zeroconf) service.
321
349
322
350
Attributes:
323
351
interface: integer; avahi.IF_UNSPEC or an interface index.
324
352
Used to optionally bind to the specified interface.
325
name: string; Example: 'Mandos'
326
type: string; Example: '_mandos._tcp'.
353
name: string; Example: "Mandos"
354
type: string; Example: "_mandos._tcp".
327
355
See <https://www.iana.org/assignments/service-names-port-numbers>
328
356
port: integer; what port to announce
329
357
TXT: list of strings; TXT record for the service
366
394
def rename(self, remove=True):
367
395
"""Derived from the Avahi example code"""
368
396
if self.rename_count >= self.max_renames:
369
logger.critical("No suitable Zeroconf service name found"
370
" after %i retries, exiting.",
371
self.rename_count)
397
log.critical("No suitable Zeroconf service name found"
398
" after %i retries, exiting.",
399
self.rename_count)
372
400
raise AvahiServiceError("Too many renames")
373
401
self.name = str(
374
402
self.server.GetAlternativeServiceName(self.name))
375
403
self.rename_count += 1
376
logger.info("Changing Zeroconf service name to %r ...",
377
self.name)
404
log.info("Changing Zeroconf service name to %r ...",
405
self.name)
378
406
if remove:
379
407
self.remove()
380
408
try:
382
410
except dbus.exceptions.DBusException as error:
383
411
if (error.get_dbus_name()
384
412
== "org.freedesktop.Avahi.CollisionError"):
385
logger.info("Local Zeroconf service name collision.")
413
log.info("Local Zeroconf service name collision.")
386
414
return self.rename(remove=False)
387
415
else:
388
logger.critical("D-Bus Exception", exc_info=error)
416
log.critical("D-Bus Exception", exc_info=error)
389
417
self.cleanup()
390
418
os._exit(1)
391
419
407
435
avahi.DBUS_INTERFACE_ENTRY_GROUP)
408
436
self.entry_group_state_changed_match = (
409
437
self.group.connect_to_signal(
410
'StateChanged', self.entry_group_state_changed))
411
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
412
self.name, self.type)
438
"StateChanged", self.entry_group_state_changed))
439
log.debug("Adding Zeroconf service '%s' of type '%s' ...",
440
self.name, self.type)
413
441
self.group.AddService(
414
442
self.interface,
415
443
self.protocol,
422
450
423
451
def entry_group_state_changed(self, state, error):
424
452
"""Derived from the Avahi example code"""
425
logger.debug("Avahi entry group state change: %i", state)
453
log.debug("Avahi entry group state change: %i", state)
426
454
427
455
if state == avahi.ENTRY_GROUP_ESTABLISHED:
428
logger.debug("Zeroconf service established.")
456
log.debug("Zeroconf service established.")
429
457
elif state == avahi.ENTRY_GROUP_COLLISION:
430
logger.info("Zeroconf service name collision.")
458
log.info("Zeroconf service name collision.")
431
459
self.rename()
432
460
elif state == avahi.ENTRY_GROUP_FAILURE:
433
logger.critical("Avahi: Error in group state changed %s",
434
str(error))
461
log.critical("Avahi: Error in group state changed %s",
462
str(error))
435
463
raise AvahiGroupError("State changed: {!s}".format(error))
436
464
437
465
def cleanup(self):
447
475
448
476
def server_state_changed(self, state, error=None):
449
477
"""Derived from the Avahi example code"""
450
logger.debug("Avahi server state change: %i", state)
478
log.debug("Avahi server state change: %i", state)
451
479
bad_states = {
452
480
avahi.SERVER_INVALID: "Zeroconf server invalid",
453
481
avahi.SERVER_REGISTERING: None,
457
485
if state in bad_states:
458
486
if bad_states[state] is not None:
459
487
if error is None:
460
logger.error(bad_states[state])
488
log.error(bad_states[state])
461
489
else:
462
logger.error(bad_states[state] + ": %r", error)
490
log.error(bad_states[state] + ": %r", error)
463
491
self.cleanup()
464
492
elif state == avahi.SERVER_RUNNING:
465
493
try:
467
495
except dbus.exceptions.DBusException as error:
468
496
if (error.get_dbus_name()
469
497
== "org.freedesktop.Avahi.CollisionError"):
470
logger.info("Local Zeroconf service name"
471
" collision.")
498
log.info("Local Zeroconf service name collision.")
472
499
return self.rename(remove=False)
473
500
else:
474
logger.critical("D-Bus Exception", exc_info=error)
501
log.critical("D-Bus Exception", exc_info=error)
475
502
self.cleanup()
476
503
os._exit(1)
477
504
else:
478
505
if error is None:
479
logger.debug("Unknown state: %r", state)
506
log.debug("Unknown state: %r", state)
480
507
else:
481
logger.debug("Unknown state: %r: %r", state, error)
508
log.debug("Unknown state: %r: %r", state, error)
482
509
483
510
def activate(self):
484
511
"""Derived from the Avahi example code"""
496
523
class AvahiServiceToSyslog(AvahiService):
497
524
def rename(self, *args, **kwargs):
498
525
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
526
ret = super(AvahiServiceToSyslog, self).rename(*args,
527
**kwargs)
500
528
syslogger.setFormatter(logging.Formatter(
501
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
529
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
502
530
.format(self.name)))
503
531
return ret
504
532
505
533
506
534
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
510
537
511
538
library = ctypes.util.find_library("gnutls")
512
539
if library is None:
513
540
library = ctypes.util.find_library("gnutls-deb0")
514
541
_library = ctypes.cdll.LoadLibrary(library)
515
542
del library
516
_need_version = b"3.3.0"
517
518
def __init__(self):
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
524
543
525
544
# Unless otherwise indicated, the constants and types below are
526
545
# all from the gnutls/gnutls.h C header file.
530
549
E_INTERRUPTED = -52
531
550
E_AGAIN = -28
532
551
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
533
553
CLIENT = 2
534
554
SHUT_RDWR = 0
535
555
CRD_CERTIFICATE = 1
536
556
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
537
562
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
563
539
564
# Types
540
class session_int(ctypes.Structure):
565
class _session_int(ctypes.Structure):
541
566
_fields_ = []
542
session_t = ctypes.POINTER(session_int)
567
session_t = ctypes.POINTER(_session_int)
543
568
544
569
class certificate_credentials_st(ctypes.Structure):
545
570
_fields_ = []
548
573
certificate_type_t = ctypes.c_int
549
574
550
575
class datum_t(ctypes.Structure):
551
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
('size', ctypes.c_uint)]
576
_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),
577
("size", ctypes.c_uint)]
553
578
554
class openpgp_crt_int(ctypes.Structure):
579
class _openpgp_crt_int(ctypes.Structure):
555
580
_fields_ = []
556
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
581
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
557
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
583
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
584
credentials_type_t = ctypes.c_int
562
587
563
588
# Exceptions
564
589
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
569
590
def __init__(self, message=None, code=None, args=()):
570
591
# Default usage is by a message string, but if a return
571
592
# code is passed, convert it to a string with
572
593
# gnutls.strerror()
573
594
self.code = code
574
595
if message is None and code is not None:
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
596
message = gnutls.strerror(code).decode(
597
"utf-8", errors="replace")
598
return super(gnutls.Error, self).__init__(
577
599
message, *args)
578
600
579
601
class CertificateSecurityError(Error):
580
602
pass
581
603
604
class PointerTo:
605
def __init__(self, cls):
606
self.cls = cls
607
608
def from_param(self, obj):
609
if not isinstance(obj, self.cls):
610
raise TypeError("Not of type {}: {!r}"
611
.format(self.cls.__name__, obj))
612
return ctypes.byref(obj.from_param(obj))
613
614
class CastToVoidPointer:
615
def __init__(self, cls):
616
self.cls = cls
617
618
def from_param(self, obj):
619
if not isinstance(obj, self.cls):
620
raise TypeError("Not of type {}: {!r}"
621
.format(self.cls.__name__, obj))
622
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
623
624
class With_from_param:
625
@classmethod
626
def from_param(cls, obj):
627
return obj._as_parameter_
628
582
629
# Classes
583
class Credentials(object):
630
class Credentials(With_from_param):
584
631
def __init__(self):
585
self._c_object = gnutls.certificate_credentials_t()
586
gnutls.certificate_allocate_credentials(
587
ctypes.byref(self._c_object))
632
self._as_parameter_ = gnutls.certificate_credentials_t()
633
gnutls.certificate_allocate_credentials(self)
588
634
self.type = gnutls.CRD_CERTIFICATE
589
635
590
636
def __del__(self):
591
gnutls.certificate_free_credentials(self._c_object)
637
gnutls.certificate_free_credentials(self)
592
638
593
class ClientSession(object):
639
class ClientSession(With_from_param):
594
640
def __init__(self, socket, credentials=None):
595
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
gnutls.set_default_priority(self._c_object)
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
gnutls.handshake_set_private_extensions(self._c_object,
600
True)
641
self._as_parameter_ = gnutls.session_t()
642
gnutls_flags = gnutls.CLIENT
643
if gnutls.check_version(b"3.5.6"):
644
gnutls_flags |= gnutls.NO_TICKETS
645
if gnutls.has_rawpk:
646
gnutls_flags |= gnutls.ENABLE_RAWPK
647
gnutls.init(self, gnutls_flags)
648
del gnutls_flags
649
gnutls.set_default_priority(self)
650
gnutls.transport_set_ptr(self, socket.fileno())
651
gnutls.handshake_set_private_extensions(self, True)
601
652
self.socket = socket
602
653
if credentials is None:
603
654
credentials = gnutls.Credentials()
604
gnutls.credentials_set(self._c_object, credentials.type,
605
ctypes.cast(credentials._c_object,
606
ctypes.c_void_p))
655
gnutls.credentials_set(self, credentials.type,
656
credentials)
607
657
self.credentials = credentials
608
658
609
659
def __del__(self):
610
gnutls.deinit(self._c_object)
660
gnutls.deinit(self)
611
661
612
662
def handshake(self):
613
return gnutls.handshake(self._c_object)
663
return gnutls.handshake(self)
614
664
615
665
def send(self, data):
616
666
data = bytes(data)
617
667
data_len = len(data)
618
668
while data_len > 0:
619
data_len -= gnutls.record_send(self._c_object,
620
data[-data_len:],
669
data_len -= gnutls.record_send(self, data[-data_len:],
621
670
data_len)
622
671
623
672
def bye(self):
624
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
673
return gnutls.bye(self, gnutls.SHUT_RDWR)
625
674
626
675
# Error handling functions
627
676
def _error_code(result):
628
677
"""A function to raise exceptions on errors, suitable
629
for the 'restype' attribute on ctypes functions"""
630
if result >= 0:
678
for the "restype" attribute on ctypes functions"""
679
if result >= gnutls.E_SUCCESS:
631
680
return result
632
681
if result == gnutls.E_NO_CERTIFICATE_FOUND:
633
682
raise gnutls.CertificateSecurityError(code=result)
634
683
raise gnutls.Error(code=result)
635
684
636
def _retry_on_error(result, func, arguments):
685
def _retry_on_error(result, func, arguments,
686
_error_code=_error_code):
637
687
"""A function to retry on some errors, suitable
638
for the 'errcheck' attribute on ctypes functions"""
639
while result < 0:
688
for the "errcheck" attribute on ctypes functions"""
689
while result < gnutls.E_SUCCESS:
640
690
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
641
691
return _error_code(result)
642
692
result = func(*arguments)
647
697
648
698
# Functions
649
699
priority_set_direct = _library.gnutls_priority_set_direct
650
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
700
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
651
701
ctypes.POINTER(ctypes.c_char_p)]
652
702
priority_set_direct.restype = _error_code
653
703
654
704
init = _library.gnutls_init
655
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
705
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
656
706
init.restype = _error_code
657
707
658
708
set_default_priority = _library.gnutls_set_default_priority
659
set_default_priority.argtypes = [session_t]
709
set_default_priority.argtypes = [ClientSession]
660
710
set_default_priority.restype = _error_code
661
711
662
712
record_send = _library.gnutls_record_send
663
record_send.argtypes = [session_t, ctypes.c_void_p,
713
record_send.argtypes = [ClientSession, ctypes.c_void_p,
664
714
ctypes.c_size_t]
665
715
record_send.restype = ctypes.c_ssize_t
666
716
record_send.errcheck = _retry_on_error
668
718
certificate_allocate_credentials = (
669
719
_library.gnutls_certificate_allocate_credentials)
670
720
certificate_allocate_credentials.argtypes = [
671
ctypes.POINTER(certificate_credentials_t)]
721
PointerTo(Credentials)]
672
722
certificate_allocate_credentials.restype = _error_code
673
723
674
724
certificate_free_credentials = (
675
725
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
726
certificate_free_credentials.argtypes = [Credentials]
678
727
certificate_free_credentials.restype = None
679
728
680
729
handshake_set_private_extensions = (
681
730
_library.gnutls_handshake_set_private_extensions)
682
handshake_set_private_extensions.argtypes = [session_t,
731
handshake_set_private_extensions.argtypes = [ClientSession,
683
732
ctypes.c_int]
684
733
handshake_set_private_extensions.restype = None
685
734
686
735
credentials_set = _library.gnutls_credentials_set
687
credentials_set.argtypes = [session_t, credentials_type_t,
688
ctypes.c_void_p]
736
credentials_set.argtypes = [ClientSession, credentials_type_t,
737
CastToVoidPointer(Credentials)]
689
738
credentials_set.restype = _error_code
690
739
691
740
strerror = _library.gnutls_strerror
693
742
strerror.restype = ctypes.c_char_p
694
743
695
744
certificate_type_get = _library.gnutls_certificate_type_get
696
certificate_type_get.argtypes = [session_t]
745
certificate_type_get.argtypes = [ClientSession]
697
746
certificate_type_get.restype = _error_code
698
747
699
748
certificate_get_peers = _library.gnutls_certificate_get_peers
700
certificate_get_peers.argtypes = [session_t,
749
certificate_get_peers.argtypes = [ClientSession,
701
750
ctypes.POINTER(ctypes.c_uint)]
702
751
certificate_get_peers.restype = ctypes.POINTER(datum_t)
703
752
710
759
global_set_log_function.restype = None
711
760
712
761
deinit = _library.gnutls_deinit
713
deinit.argtypes = [session_t]
762
deinit.argtypes = [ClientSession]
714
763
deinit.restype = None
715
764
716
765
handshake = _library.gnutls_handshake
717
handshake.argtypes = [session_t]
718
handshake.restype = _error_code
766
handshake.argtypes = [ClientSession]
767
handshake.restype = ctypes.c_int
719
768
handshake.errcheck = _retry_on_error
720
769
721
770
transport_set_ptr = _library.gnutls_transport_set_ptr
722
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
771
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
723
772
transport_set_ptr.restype = None
724
773
725
774
bye = _library.gnutls_bye
726
bye.argtypes = [session_t, close_request_t]
727
bye.restype = _error_code
775
bye.argtypes = [ClientSession, close_request_t]
776
bye.restype = ctypes.c_int
728
777
bye.errcheck = _retry_on_error
729
778
730
779
check_version = _library.gnutls_check_version
731
780
check_version.argtypes = [ctypes.c_char_p]
732
781
check_version.restype = ctypes.c_char_p
733
782
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
783
_need_version = b"3.3.0"
784
if check_version(_need_version) is None:
785
raise self.Error("Needs GnuTLS {} or later"
786
.format(_need_version))
787
788
_tls_rawpk_version = b"3.6.6"
789
has_rawpk = bool(check_version(_tls_rawpk_version))
790
791
if has_rawpk:
792
# Types
793
class pubkey_st(ctypes.Structure):
794
_fields = []
795
pubkey_t = ctypes.POINTER(pubkey_st)
796
797
x509_crt_fmt_t = ctypes.c_int
798
799
# All the function declarations below are from
800
# gnutls/abstract.h
801
pubkey_init = _library.gnutls_pubkey_init
802
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
803
pubkey_init.restype = _error_code
804
805
pubkey_import = _library.gnutls_pubkey_import
806
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
807
x509_crt_fmt_t]
808
pubkey_import.restype = _error_code
809
810
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
811
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
812
ctypes.POINTER(ctypes.c_ubyte),
813
ctypes.POINTER(ctypes.c_size_t)]
814
pubkey_get_key_id.restype = _error_code
815
816
pubkey_deinit = _library.gnutls_pubkey_deinit
817
pubkey_deinit.argtypes = [pubkey_t]
818
pubkey_deinit.restype = None
819
else:
820
# All the function declarations below are from
821
# gnutls/openpgp.h
822
823
openpgp_crt_init = _library.gnutls_openpgp_crt_init
824
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
825
openpgp_crt_init.restype = _error_code
826
827
openpgp_crt_import = _library.gnutls_openpgp_crt_import
828
openpgp_crt_import.argtypes = [openpgp_crt_t,
829
ctypes.POINTER(datum_t),
830
openpgp_crt_fmt_t]
831
openpgp_crt_import.restype = _error_code
832
833
openpgp_crt_verify_self = \
834
_library.gnutls_openpgp_crt_verify_self
835
openpgp_crt_verify_self.argtypes = [
836
openpgp_crt_t,
837
ctypes.c_uint,
838
ctypes.POINTER(ctypes.c_uint),
839
]
840
openpgp_crt_verify_self.restype = _error_code
841
842
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
843
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
844
openpgp_crt_deinit.restype = None
845
846
openpgp_crt_get_fingerprint = (
847
_library.gnutls_openpgp_crt_get_fingerprint)
848
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
849
ctypes.c_void_p,
850
ctypes.POINTER(
851
ctypes.c_size_t)]
852
openpgp_crt_get_fingerprint.restype = _error_code
853
854
if check_version(b"3.6.4"):
855
certificate_type_get2 = _library.gnutls_certificate_type_get2
856
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
857
certificate_type_get2.restype = _error_code
762
858
763
859
# Remove non-public functions
764
860
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
766
gnutls = GnuTLS()
767
861
768
862
769
863
def call_pipe(connection, # : multiprocessing.Connection
777
871
connection.close()
778
872
779
873
780
class Client(object):
874
class Client:
781
875
"""A representation of a client host served by this server.
782
876
783
877
Attributes:
784
approved: bool(); 'None' if not yet approved/disapproved
878
approved: bool(); None if not yet approved/disapproved
785
879
approval_delay: datetime.timedelta(); Time to wait for approval
786
880
approval_duration: datetime.timedelta(); Duration of one approval
787
checker: subprocess.Popen(); a running checker process used
788
to see if the client lives.
789
'None' if no process is running.
881
checker: multiprocessing.Process(); a running checker process used
882
to see if the client lives. None if no process is
883
running.
790
884
checker_callback_tag: a GLib event source tag, or None
791
885
checker_command: string; External command which is run to check
792
886
if client lives. %() expansions are done at
800
894
disable_initiator_tag: a GLib event source tag, or None
801
895
enabled: bool()
802
896
fingerprint: string (40 or 32 hexadecimal digits); used to
803
uniquely identify the client
897
uniquely identify an OpenPGP client
898
key_id: string (64 hexadecimal digits); used to uniquely identify
899
a client using raw public keys
804
900
host: string; available for use by the checker command
805
901
interval: datetime.timedelta(); How often to start a new checker
806
902
last_approval_request: datetime.datetime(); (UTC) or None
824
920
"""
825
921
826
922
runtime_expansions = ("approval_delay", "approval_duration",
827
"created", "enabled", "expires",
923
"created", "enabled", "expires", "key_id",
828
924
"fingerprint", "host", "interval",
829
925
"last_approval_request", "last_checked_ok",
830
926
"last_enabled", "name", "timeout")
860
956
client["enabled"] = config.getboolean(client_name,
861
957
"enabled")
862
958
863
# Uppercase and remove spaces from fingerprint for later
864
# comparison purposes with return value from the
865
# fingerprint() function
959
# Uppercase and remove spaces from key_id and fingerprint
960
# for later comparison purposes with return value from the
961
# key_id() and fingerprint() functions
962
client["key_id"] = (section.get("key_id", "").upper()
963
.replace(" ", ""))
866
964
client["fingerprint"] = (section["fingerprint"].upper()
867
965
.replace(" ", ""))
868
966
if "secret" in section:
911
1009
self.last_enabled = None
912
1010
self.expires = None
913
1011
914
logger.debug("Creating client %r", self.name)
915
logger.debug(" Fingerprint: %s", self.fingerprint)
1012
log.debug("Creating client %r", self.name)
1013
log.debug(" Key ID: %s", self.key_id)
1014
log.debug(" Fingerprint: %s", self.fingerprint)
916
1015
self.created = settings.get("created",
917
1016
datetime.datetime.utcnow())
918
1017
957
1056
if not getattr(self, "enabled", False):
958
1057
return False
959
1058
if not quiet:
960
logger.info("Disabling client %s", self.name)
1059
log.info("Disabling client %s", self.name)
961
1060
if getattr(self, "disable_initiator_tag", None) is not None:
962
1061
GLib.source_remove(self.disable_initiator_tag)
963
1062
self.disable_initiator_tag = None
981
1080
if self.checker_initiator_tag is not None:
982
1081
GLib.source_remove(self.checker_initiator_tag)
983
1082
self.checker_initiator_tag = GLib.timeout_add(
984
int(self.interval.total_seconds() * 1000),
1083
random.randrange(int(self.interval.total_seconds() * 1000
1084
+ 1)),
985
1085
self.start_checker)
986
1086
# Schedule a disable() when 'timeout' has passed
987
1087
if self.disable_initiator_tag is not None:
994
1094
def checker_callback(self, source, condition, connection,
995
1095
command):
996
1096
"""The checker has completed, so take appropriate actions."""
997
self.checker_callback_tag = None
998
self.checker = None
999
1097
# Read return code from connection (see call_pipe)
1000
1098
returncode = connection.recv()
1001
1099
connection.close()
1100
if self.checker is not None:
1101
self.checker.join()
1102
self.checker_callback_tag = None
1103
self.checker = None
1002
1104
1003
1105
if returncode >= 0:
1004
1106
self.last_checker_status = returncode
1005
1107
self.last_checker_signal = None
1006
1108
if self.last_checker_status == 0:
1007
logger.info("Checker for %(name)s succeeded",
1008
vars(self))
1109
log.info("Checker for %(name)s succeeded", vars(self))
1009
1110
self.checked_ok()
1010
1111
else:
1011
logger.info("Checker for %(name)s failed", vars(self))
1112
log.info("Checker for %(name)s failed", vars(self))
1012
1113
else:
1013
1114
self.last_checker_status = -1
1014
1115
self.last_checker_signal = -returncode
1015
logger.warning("Checker for %(name)s crashed?",
1016
vars(self))
1116
log.warning("Checker for %(name)s crashed?", vars(self))
1017
1117
return False
1018
1118
1019
1119
def checked_ok(self):
1053
1153
# should be.
1054
1154
1055
1155
if self.checker is not None and not self.checker.is_alive():
1056
logger.warning("Checker was not alive; joining")
1156
log.warning("Checker was not alive; joining")
1057
1157
self.checker.join()
1058
1158
self.checker = None
1059
1159
# Start a new checker if needed
1060
1160
if self.checker is None:
1061
1161
# Escape attributes for the shell
1062
1162
escaped_attrs = {
1063
attr: re.escape(str(getattr(self, attr)))
1163
attr: shlex.quote(str(getattr(self, attr)))
1064
1164
for attr in self.runtime_expansions}
1065
1165
try:
1066
1166
command = self.checker_command % escaped_attrs
1067
1167
except TypeError as error:
1068
logger.error('Could not format string "%s"',
1069
self.checker_command,
1070
exc_info=error)
1168
log.error('Could not format string "%s"',
1169
self.checker_command, exc_info=error)
1071
1170
return True # Try again later
1072
1171
self.current_checker_command = command
1073
logger.info("Starting checker %r for %s", command,
1074
self.name)
1172
log.info("Starting checker %r for %s", command, self.name)
1075
1173
# We don't need to redirect stdout and stderr, since
1076
1174
# in normal mode, that is already done by daemon(),
1077
1175
# and in debug mode we don't want to. (Stdin is
1093
1191
kwargs=popen_args)
1094
1192
self.checker.start()
1095
1193
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
1194
GLib.IOChannel.unix_new(pipe[0].fileno()),
1195
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1097
1196
self.checker_callback, pipe[0], command)
1098
1197
# Re-run this periodically if run by GLib.timeout_add
1099
1198
return True
1105
1204
self.checker_callback_tag = None
1106
1205
if getattr(self, "checker", None) is None:
1107
1206
return
1108
logger.debug("Stopping checker for %(name)s", vars(self))
1207
log.debug("Stopping checker for %(name)s", vars(self))
1109
1208
self.checker.terminate()
1110
1209
self.checker = None
1111
1210
1138
1237
func._dbus_name = func.__name__
1139
1238
if func._dbus_name.endswith("_dbus_property"):
1140
1239
func._dbus_name = func._dbus_name[:-14]
1141
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1240
func._dbus_get_args_options = {"byte_arrays": byte_arrays}
1142
1241
return func
1143
1242
1144
1243
return decorator
1233
1332
1234
1333
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1235
1334
out_signature="s",
1236
path_keyword='object_path',
1237
connection_keyword='connection')
1335
path_keyword="object_path",
1336
connection_keyword="connection")
1238
1337
def Introspect(self, object_path, connection):
1239
1338
"""Overloading of standard D-Bus method.
1240
1339
1289
1388
document.unlink()
1290
1389
except (AttributeError, xml.dom.DOMException,
1291
1390
xml.parsers.expat.ExpatError) as error:
1292
logger.error("Failed to override Introspection method",
1293
exc_info=error)
1391
log.error("Failed to override Introspection method",
1392
exc_info=error)
1294
1393
return xmlstring
1295
1394
1296
1395
1354
1453
raise ValueError("Byte arrays not supported for non-"
1355
1454
"'ay' signature {!r}"
1356
1455
.format(prop._dbus_signature))
1357
value = dbus.ByteArray(b''.join(chr(byte)
1358
for byte in value))
1456
value = dbus.ByteArray(bytes(value))
1359
1457
prop(value)
1360
1458
1361
1459
@dbus.service.method(dbus.PROPERTIES_IFACE,
1394
1492
1395
1493
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1396
1494
out_signature="s",
1397
path_keyword='object_path',
1398
connection_keyword='connection')
1495
path_keyword="object_path",
1496
connection_keyword="connection")
1399
1497
def Introspect(self, object_path, connection):
1400
1498
"""Overloading of standard D-Bus method.
1401
1499
1457
1555
document.unlink()
1458
1556
except (AttributeError, xml.dom.DOMException,
1459
1557
xml.parsers.expat.ExpatError) as error:
1460
logger.error("Failed to override Introspection method",
1461
exc_info=error)
1558
log.error("Failed to override Introspection method",
1559
exc_info=error)
1462
1560
return xmlstring
1463
1561
1464
1562
1496
1594
1497
1595
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1498
1596
out_signature="s",
1499
path_keyword='object_path',
1500
connection_keyword='connection')
1597
path_keyword="object_path",
1598
connection_keyword="connection")
1501
1599
def Introspect(self, object_path, connection):
1502
1600
"""Overloading of standard D-Bus method.
1503
1601
1528
1626
document.unlink()
1529
1627
except (AttributeError, xml.dom.DOMException,
1530
1628
xml.parsers.expat.ExpatError) as error:
1531
logger.error("Failed to override Introspection method",
1532
exc_info=error)
1629
log.error("Failed to override Introspection method",
1630
exc_info=error)
1533
1631
return xmlstring
1534
1632
1535
1633
1999
2097
def Name_dbus_property(self):
2000
2098
return dbus.String(self.name)
2001
2099
2100
# KeyID - property
2101
@dbus_annotations(
2102
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2103
@dbus_service_property(_interface, signature="s", access="read")
2104
def KeyID_dbus_property(self):
2105
return dbus.String(self.key_id)
2106
2002
2107
# Fingerprint - property
2003
2108
@dbus_annotations(
2004
2109
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2159
2264
del _interface
2160
2265
2161
2266
2162
class ProxyClient(object):
2163
def __init__(self, child_pipe, fpr, address):
2267
class ProxyClient:
2268
def __init__(self, child_pipe, key_id, fpr, address):
2164
2269
self._pipe = child_pipe
2165
self._pipe.send(('init', fpr, address))
2270
self._pipe.send(("init", key_id, fpr, address))
2166
2271
if not self._pipe.recv():
2167
raise KeyError(fpr)
2272
raise KeyError(key_id or fpr)
2168
2273
2169
2274
def __getattribute__(self, name):
2170
if name == '_pipe':
2275
if name == "_pipe":
2171
2276
return super(ProxyClient, self).__getattribute__(name)
2172
self._pipe.send(('getattr', name))
2277
self._pipe.send(("getattr", name))
2173
2278
data = self._pipe.recv()
2174
if data[0] == 'data':
2279
if data[0] == "data":
2175
2280
return data[1]
2176
if data[0] == 'function':
2281
if data[0] == "function":
2177
2282
2178
2283
def func(*args, **kwargs):
2179
self._pipe.send(('funcall', name, args, kwargs))
2284
self._pipe.send(("funcall", name, args, kwargs))
2180
2285
return self._pipe.recv()[1]
2181
2286
2182
2287
return func
2183
2288
2184
2289
def __setattr__(self, name, value):
2185
if name == '_pipe':
2290
if name == "_pipe":
2186
2291
return super(ProxyClient, self).__setattr__(name, value)
2187
self._pipe.send(('setattr', name, value))
2292
self._pipe.send(("setattr", name, value))
2188
2293
2189
2294
2190
2295
class ClientHandler(socketserver.BaseRequestHandler, object):
2195
2300
2196
2301
def handle(self):
2197
2302
with contextlib.closing(self.server.child_pipe) as child_pipe:
2198
logger.info("TCP connection from: %s",
2199
str(self.client_address))
2200
logger.debug("Pipe FD: %d",
2201
self.server.child_pipe.fileno())
2303
log.info("TCP connection from: %s",
2304
str(self.client_address))
2305
log.debug("Pipe FD: %d", self.server.child_pipe.fileno())
2202
2306
2203
2307
session = gnutls.ClientSession(self.request)
2204
2308
2205
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2309
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2206
2310
# "+AES-256-CBC", "+SHA1",
2207
2311
# "+COMP-NULL", "+CTYPE-OPENPGP",
2208
2312
# "+DHE-DSS"))
2210
2314
priority = self.server.gnutls_priority
2211
2315
if priority is None:
2212
2316
priority = "NORMAL"
2213
gnutls.priority_set_direct(session._c_object,
2214
priority.encode("utf-8"),
2215
None)
2317
gnutls.priority_set_direct(session,
2318
priority.encode("utf-8"), None)
2216
2319
2217
2320
# Start communication using the Mandos protocol
2218
2321
# Get protocol number
2219
2322
line = self.request.makefile().readline()
2220
logger.debug("Protocol version: %r", line)
2323
log.debug("Protocol version: %r", line)
2221
2324
try:
2222
2325
if int(line.strip().split()[0]) > 1:
2223
2326
raise RuntimeError(line)
2224
2327
except (ValueError, IndexError, RuntimeError) as error:
2225
logger.error("Unknown protocol version: %s", error)
2328
log.error("Unknown protocol version: %s", error)
2226
2329
return
2227
2330
2228
2331
# Start GnuTLS connection
2229
2332
try:
2230
2333
session.handshake()
2231
2334
except gnutls.Error as error:
2232
logger.warning("Handshake failed: %s", error)
2335
log.warning("Handshake failed: %s", error)
2233
2336
# Do not run session.bye() here: the session is not
2234
2337
# established. Just abandon the request.
2235
2338
return
2236
logger.debug("Handshake succeeded")
2339
log.debug("Handshake succeeded")
2237
2340
2238
2341
approval_required = False
2239
2342
try:
2240
try:
2241
fpr = self.fingerprint(
2242
self.peer_certificate(session))
2243
except (TypeError, gnutls.Error) as error:
2244
logger.warning("Bad certificate: %s", error)
2245
return
2246
logger.debug("Fingerprint: %s", fpr)
2247
2248
try:
2249
client = ProxyClient(child_pipe, fpr,
2343
if gnutls.has_rawpk:
2344
fpr = b""
2345
try:
2346
key_id = self.key_id(
2347
self.peer_certificate(session))
2348
except (TypeError, gnutls.Error) as error:
2349
log.warning("Bad certificate: %s", error)
2350
return
2351
log.debug("Key ID: %s",
2352
key_id.decode("utf-8",
2353
errors="replace"))
2354
2355
else:
2356
key_id = b""
2357
try:
2358
fpr = self.fingerprint(
2359
self.peer_certificate(session))
2360
except (TypeError, gnutls.Error) as error:
2361
log.warning("Bad certificate: %s", error)
2362
return
2363
log.debug("Fingerprint: %s", fpr)
2364
2365
try:
2366
client = ProxyClient(child_pipe, key_id, fpr,
2250
2367
self.client_address)
2251
2368
except KeyError:
2252
2369
return
2258
2375
2259
2376
while True:
2260
2377
if not client.enabled:
2261
logger.info("Client %s is disabled",
2262
client.name)
2378
log.info("Client %s is disabled", client.name)
2263
2379
if self.server.use_dbus:
2264
2380
# Emit D-Bus signal
2265
2381
client.Rejected("Disabled")
2269
2385
# We are approved or approval is disabled
2270
2386
break
2271
2387
elif client.approved is None:
2272
logger.info("Client %s needs approval",
2273
client.name)
2388
log.info("Client %s needs approval",
2389
client.name)
2274
2390
if self.server.use_dbus:
2275
2391
# Emit D-Bus signal
2276
2392
client.NeedApproval(
2277
2393
client.approval_delay.total_seconds()
2278
2394
* 1000, client.approved_by_default)
2279
2395
else:
2280
logger.warning("Client %s was not approved",
2281
client.name)
2396
log.warning("Client %s was not approved",
2397
client.name)
2282
2398
if self.server.use_dbus:
2283
2399
# Emit D-Bus signal
2284
2400
client.Rejected("Denied")
2292
2408
time2 = datetime.datetime.now()
2293
2409
if (time2 - time) >= delay:
2294
2410
if not client.approved_by_default:
2295
logger.warning("Client %s timed out while"
2296
" waiting for approval",
2297
client.name)
2411
log.warning("Client %s timed out while"
2412
" waiting for approval",
2413
client.name)
2298
2414
if self.server.use_dbus:
2299
2415
# Emit D-Bus signal
2300
2416
client.Rejected("Approval timed out")
2307
2423
try:
2308
2424
session.send(client.secret)
2309
2425
except gnutls.Error as error:
2310
logger.warning("gnutls send failed",
2311
exc_info=error)
2426
log.warning("gnutls send failed", exc_info=error)
2312
2427
return
2313
2428
2314
logger.info("Sending secret to %s", client.name)
2429
log.info("Sending secret to %s", client.name)
2315
2430
# bump the timeout using extended_timeout
2316
2431
client.bump_timeout(client.extended_timeout)
2317
2432
if self.server.use_dbus:
2324
2439
try:
2325
2440
session.bye()
2326
2441
except gnutls.Error as error:
2327
logger.warning("GnuTLS bye failed",
2328
exc_info=error)
2442
log.warning("GnuTLS bye failed", exc_info=error)
2329
2443
2330
2444
@staticmethod
2331
2445
def peer_certificate(session):
2332
"Return the peer's OpenPGP certificate as a bytestring"
2333
# If not an OpenPGP certificate...
2334
if (gnutls.certificate_type_get(session._c_object)
2335
!= gnutls.CRT_OPENPGP):
2446
"Return the peer's certificate as a bytestring"
2447
try:
2448
cert_type = gnutls.certificate_type_get2(
2449
session, gnutls.CTYPE_PEERS)
2450
except AttributeError:
2451
cert_type = gnutls.certificate_type_get(session)
2452
if gnutls.has_rawpk:
2453
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2454
else:
2455
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2456
# If not a valid certificate type...
2457
if cert_type not in valid_cert_types:
2458
log.info("Cert type %r not in %r", cert_type,
2459
valid_cert_types)
2336
2460
# ...return invalid data
2337
2461
return b""
2338
2462
list_size = ctypes.c_uint(1)
2339
2463
cert_list = (gnutls.certificate_get_peers
2340
(session._c_object, ctypes.byref(list_size)))
2464
(session, ctypes.byref(list_size)))
2341
2465
if not bool(cert_list) and list_size.value != 0:
2342
2466
raise gnutls.Error("error getting peer certificate")
2343
2467
if list_size.value == 0:
2346
2470
return ctypes.string_at(cert.data, cert.size)
2347
2471
2348
2472
@staticmethod
2473
def key_id(certificate):
2474
"Convert a certificate bytestring to a hexdigit key ID"
2475
# New GnuTLS "datum" with the public key
2476
datum = gnutls.datum_t(
2477
ctypes.cast(ctypes.c_char_p(certificate),
2478
ctypes.POINTER(ctypes.c_ubyte)),
2479
ctypes.c_uint(len(certificate)))
2480
# XXX all these need to be created in the gnutls "module"
2481
# New empty GnuTLS certificate
2482
pubkey = gnutls.pubkey_t()
2483
gnutls.pubkey_init(ctypes.byref(pubkey))
2484
# Import the raw public key into the certificate
2485
gnutls.pubkey_import(pubkey,
2486
ctypes.byref(datum),
2487
gnutls.X509_FMT_DER)
2488
# New buffer for the key ID
2489
buf = ctypes.create_string_buffer(32)
2490
buf_len = ctypes.c_size_t(len(buf))
2491
# Get the key ID from the raw public key into the buffer
2492
gnutls.pubkey_get_key_id(
2493
pubkey,
2494
gnutls.KEYID_USE_SHA256,
2495
ctypes.cast(ctypes.byref(buf),
2496
ctypes.POINTER(ctypes.c_ubyte)),
2497
ctypes.byref(buf_len))
2498
# Deinit the certificate
2499
gnutls.pubkey_deinit(pubkey)
2500
2501
# Convert the buffer to a Python bytestring
2502
key_id = ctypes.string_at(buf, buf_len.value)
2503
# Convert the bytestring to hexadecimal notation
2504
hex_key_id = binascii.hexlify(key_id).upper()
2505
return hex_key_id
2506
2507
@staticmethod
2349
2508
def fingerprint(openpgp):
2350
2509
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2351
2510
# New GnuTLS "datum" with the OpenPGP public key
2365
2524
ctypes.byref(crtverify))
2366
2525
if crtverify.value != 0:
2367
2526
gnutls.openpgp_crt_deinit(crt)
2368
raise gnutls.CertificateSecurityError("Verify failed")
2527
raise gnutls.CertificateSecurityError(code
2528
=crtverify.value)
2369
2529
# New buffer for the fingerprint
2370
2530
buf = ctypes.create_string_buffer(20)
2371
2531
buf_len = ctypes.c_size_t()
2381
2541
return hex_fpr
2382
2542
2383
2543
2384
class MultiprocessingMixIn(object):
2544
class MultiprocessingMixIn:
2385
2545
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2386
2546
2387
2547
def sub_process_main(self, request, address):
2399
2559
return proc
2400
2560
2401
2561
2402
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2562
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2403
2563
""" adds a pipe to the MixIn """
2404
2564
2405
2565
def process_request(self, request, client_address):
2420
2580
2421
2581
2422
2582
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2423
socketserver.TCPServer, object):
2424
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2583
socketserver.TCPServer):
2584
"""IPv6-capable TCP server. Accepts None as address and/or port
2425
2585
2426
2586
Attributes:
2427
2587
enabled: Boolean; whether this server is activated yet
2478
2638
if SO_BINDTODEVICE is None:
2479
2639
# Fall back to a hard-coded value which seems to be
2480
2640
# common enough.
2481
logger.warning("SO_BINDTODEVICE not found, trying 25")
2641
log.warning("SO_BINDTODEVICE not found, trying 25")
2482
2642
SO_BINDTODEVICE = 25
2483
2643
try:
2484
2644
self.socket.setsockopt(
2486
2646
(self.interface + "\0").encode("utf-8"))
2487
2647
except socket.error as error:
2488
2648
if error.errno == errno.EPERM:
2489
logger.error("No permission to bind to"
2490
" interface %s", self.interface)
2649
log.error("No permission to bind to interface %s",
2650
self.interface)
2491
2651
elif error.errno == errno.ENOPROTOOPT:
2492
logger.error("SO_BINDTODEVICE not available;"
2493
" cannot bind to interface %s",
2494
self.interface)
2652
log.error("SO_BINDTODEVICE not available; cannot"
2653
" bind to interface %s", self.interface)
2495
2654
elif error.errno == errno.ENODEV:
2496
logger.error("Interface %s does not exist,"
2497
" cannot bind", self.interface)
2655
log.error("Interface %s does not exist, cannot"
2656
" bind", self.interface)
2498
2657
else:
2499
2658
raise
2500
2659
# Only bind(2) the socket if we really need to.
2501
2660
if self.server_address[0] or self.server_address[1]:
2661
if self.server_address[1]:
2662
self.allow_reuse_address = True
2502
2663
if not self.server_address[0]:
2503
2664
if self.address_family == socket.AF_INET6:
2504
2665
any_address = "::" # in6addr_any
2557
2718
def add_pipe(self, parent_pipe, proc):
2558
2719
# Call "handle_ipc" for both data and EOF events
2559
2720
GLib.io_add_watch(
2560
parent_pipe.fileno(),
2561
GLib.IO_IN | GLib.IO_HUP,
2721
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2722
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2562
2723
functools.partial(self.handle_ipc,
2563
2724
parent_pipe=parent_pipe,
2564
2725
proc=proc))
2577
2738
request = parent_pipe.recv()
2578
2739
command = request[0]
2579
2740
2580
if command == 'init':
2581
fpr = request[1].decode("ascii")
2582
address = request[2]
2741
if command == "init":
2742
key_id = request[1].decode("ascii")
2743
fpr = request[2].decode("ascii")
2744
address = request[3]
2583
2745
2584
2746
for c in self.clients.values():
2585
if c.fingerprint == fpr:
2747
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2748
"27AE41E4649B934CA495991B7852B855"):
2749
continue
2750
if key_id and c.key_id == key_id:
2751
client = c
2752
break
2753
if fpr and c.fingerprint == fpr:
2586
2754
client = c
2587
2755
break
2588
2756
else:
2589
logger.info("Client not found for fingerprint: %s, ad"
2590
"dress: %s", fpr, address)
2757
log.info("Client not found for key ID: %s, address:"
2758
" %s", key_id or fpr, address)
2591
2759
if self.use_dbus:
2592
2760
# Emit D-Bus signal
2593
mandos_dbus_service.ClientNotFound(fpr,
2761
mandos_dbus_service.ClientNotFound(key_id or fpr,
2594
2762
address[0])
2595
2763
parent_pipe.send(False)
2596
2764
return False
2597
2765
2598
2766
GLib.io_add_watch(
2599
parent_pipe.fileno(),
2600
GLib.IO_IN | GLib.IO_HUP,
2767
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2768
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2601
2769
functools.partial(self.handle_ipc,
2602
2770
parent_pipe=parent_pipe,
2603
2771
proc=proc,
2606
2774
# remove the old hook in favor of the new above hook on
2607
2775
# same fileno
2608
2776
return False
2609
if command == 'funcall':
2777
if command == "funcall":
2610
2778
funcname = request[1]
2611
2779
args = request[2]
2612
2780
kwargs = request[3]
2613
2781
2614
parent_pipe.send(('data', getattr(client_object,
2782
parent_pipe.send(("data", getattr(client_object,
2615
2783
funcname)(*args,
2616
2784
**kwargs)))
2617
2785
2618
if command == 'getattr':
2786
if command == "getattr":
2619
2787
attrname = request[1]
2620
2788
if isinstance(client_object.__getattribute__(attrname),
2621
collections.Callable):
2622
parent_pipe.send(('function', ))
2789
collections.abc.Callable):
2790
parent_pipe.send(("function", ))
2623
2791
else:
2624
2792
parent_pipe.send((
2625
'data', client_object.__getattribute__(attrname)))
2793
"data", client_object.__getattribute__(attrname)))
2626
2794
2627
if command == 'setattr':
2795
if command == "setattr":
2628
2796
attrname = request[1]
2629
2797
value = request[2]
2630
2798
setattr(client_object, attrname, value)
2635
2803
def rfc3339_duration_to_delta(duration):
2636
2804
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2637
2805
2638
>>> rfc3339_duration_to_delta("P7D")
2639
datetime.timedelta(7)
2640
>>> rfc3339_duration_to_delta("PT60S")
2641
datetime.timedelta(0, 60)
2642
>>> rfc3339_duration_to_delta("PT60M")
2643
datetime.timedelta(0, 3600)
2644
>>> rfc3339_duration_to_delta("PT24H")
2645
datetime.timedelta(1)
2646
>>> rfc3339_duration_to_delta("P1W")
2647
datetime.timedelta(7)
2648
>>> rfc3339_duration_to_delta("PT5M30S")
2649
datetime.timedelta(0, 330)
2650
>>> rfc3339_duration_to_delta("P1DT3M20S")
2651
datetime.timedelta(1, 200)
2806
>>> timedelta = datetime.timedelta
2807
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2808
True
2809
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2810
True
2811
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2812
True
2813
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2814
True
2815
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2816
True
2817
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2818
True
2819
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2820
True
2821
>>> del timedelta
2652
2822
"""
2653
2823
2654
2824
# Parsing an RFC 3339 duration with regular expressions is not
2734
2904
def string_to_delta(interval):
2735
2905
"""Parse a string and return a datetime.timedelta
2736
2906
2737
>>> string_to_delta('7d')
2738
datetime.timedelta(7)
2739
>>> string_to_delta('60s')
2740
datetime.timedelta(0, 60)
2741
>>> string_to_delta('60m')
2742
datetime.timedelta(0, 3600)
2743
>>> string_to_delta('24h')
2744
datetime.timedelta(1)
2745
>>> string_to_delta('1w')
2746
datetime.timedelta(7)
2747
>>> string_to_delta('5m 30s')
2748
datetime.timedelta(0, 330)
2907
>>> string_to_delta("7d") == datetime.timedelta(7)
2908
True
2909
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2910
True
2911
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2912
True
2913
>>> string_to_delta("24h") == datetime.timedelta(1)
2914
True
2915
>>> string_to_delta("1w") == datetime.timedelta(7)
2916
True
2917
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
2918
True
2749
2919
"""
2750
2920
2751
2921
try:
2853
3023
2854
3024
options = parser.parse_args()
2855
3025
2856
if options.check:
2857
import doctest
2858
fail_count, test_count = doctest.testmod()
2859
sys.exit(os.EX_OK if fail_count == 0 else 1)
2860
2861
3026
# Default values for config file for server-global settings
3027
if gnutls.has_rawpk:
3028
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3029
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3030
else:
3031
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3032
":+SIGN-DSA-SHA256")
2862
3033
server_defaults = {"interface": "",
2863
3034
"address": "",
2864
3035
"port": "",
2865
3036
"debug": "False",
2866
"priority":
2867
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2868
":+SIGN-DSA-SHA256",
3037
"priority": priority,
2869
3038
"servicename": "Mandos",
2870
3039
"use_dbus": "True",
2871
3040
"use_ipv6": "True",
2876
3045
"foreground": "False",
2877
3046
"zeroconf": "True",
2878
3047
}
3048
del priority
2879
3049
2880
3050
# Parse config file for server-global settings
2881
server_config = configparser.SafeConfigParser(server_defaults)
3051
server_config = configparser.ConfigParser(server_defaults)
2882
3052
del server_defaults
2883
3053
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2884
# Convert the SafeConfigParser object to a dict
3054
# Convert the ConfigParser object to a dict
2885
3055
server_settings = server_config.defaults()
2886
3056
# Use the appropriate methods on the non-string config options
2887
3057
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2954
3124
2955
3125
if server_settings["servicename"] != "Mandos":
2956
3126
syslogger.setFormatter(
2957
logging.Formatter('Mandos ({}) [%(process)d]:'
2958
' %(levelname)s: %(message)s'.format(
3127
logging.Formatter("Mandos ({}) [%(process)d]:"
3128
" %(levelname)s: %(message)s".format(
2959
3129
server_settings["servicename"])))
2960
3130
2961
3131
# Parse config file with clients
2962
client_config = configparser.SafeConfigParser(Client
2963
.client_defaults)
3132
client_config = configparser.ConfigParser(Client.client_defaults)
2964
3133
client_config.read(os.path.join(server_settings["configdir"],
2965
3134
"clients.conf"))
2966
3135
2986
3155
try:
2987
3156
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2988
3157
except IOError as e:
2989
logger.error("Could not open file %r", pidfilename,
2990
exc_info=e)
3158
log.error("Could not open file %r", pidfilename,
3159
exc_info=e)
2991
3160
2992
3161
for name, group in (("_mandos", "_mandos"),
2993
3162
("mandos", "mandos"),
3004
3173
try:
3005
3174
os.setgid(gid)
3006
3175
os.setuid(uid)
3007
if debug:
3008
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3009
gid))
3176
log.debug("Did setuid/setgid to %s:%s", uid, gid)
3010
3177
except OSError as error:
3011
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3012
.format(uid, gid, os.strerror(error.errno)))
3178
log.warning("Failed to setuid/setgid to %s:%s: %s", uid, gid,
3179
os.strerror(error.errno))
3013
3180
if error.errno != errno.EPERM:
3014
3181
raise
3015
3182
3022
3189
3023
3190
@gnutls.log_func
3024
3191
def debug_gnutls(level, string):
3025
logger.debug("GnuTLS: %s", string[:-1])
3192
log.debug("GnuTLS: %s",
3193
string[:-1].decode("utf-8", errors="replace"))
3026
3194
3027
3195
gnutls.global_set_log_function(debug_gnutls)
3028
3196
3037
3205
# Close all input and output, do double fork, etc.
3038
3206
daemon()
3039
3207
3040
# multiprocessing will use threads, so before we use GLib we need
3041
# to inform GLib that threads will be used.
3042
GLib.threads_init()
3208
if gi.version_info < (3, 10, 2):
3209
# multiprocessing will use threads, so before we use GLib we
3210
# need to inform GLib that threads will be used.
3211
GLib.threads_init()
3043
3212
3044
3213
global main_loop
3045
3214
# From the Avahi example code
3056
3225
"se.bsnet.fukt.Mandos", bus,
3057
3226
do_not_queue=True)
3058
3227
except dbus.exceptions.DBusException as e:
3059
logger.error("Disabling D-Bus:", exc_info=e)
3228
log.error("Disabling D-Bus:", exc_info=e)
3060
3229
use_dbus = False
3061
3230
server_settings["use_dbus"] = False
3062
3231
tcp_server.use_dbus = False
3121
3290
if isinstance(s, bytes)
3122
3291
else s) for s in
3123
3292
value["client_structure"]]
3124
# .name & .host
3125
for k in ("name", "host"):
3293
# .name, .host, and .checker_command
3294
for k in ("name", "host", "checker_command"):
3126
3295
if isinstance(value[k], bytes):
3127
3296
value[k] = value[k].decode("utf-8")
3297
if "key_id" not in value:
3298
value["key_id"] = ""
3299
elif "fingerprint" not in value:
3300
value["fingerprint"] = ""
3128
3301
# old_client_settings
3129
3302
# .keys()
3130
3303
old_client_settings = {
3134
3307
for key, value in
3135
3308
bytes_old_client_settings.items()}
3136
3309
del bytes_old_client_settings
3137
# .host
3310
# .host and .checker_command
3138
3311
for value in old_client_settings.values():
3139
if isinstance(value["host"], bytes):
3140
value["host"] = (value["host"]
3141
.decode("utf-8"))
3312
for attribute in ("host", "checker_command"):
3313
if isinstance(value[attribute], bytes):
3314
value[attribute] = (value[attribute]
3315
.decode("utf-8"))
3142
3316
os.remove(stored_state_path)
3143
3317
except IOError as e:
3144
3318
if e.errno == errno.ENOENT:
3145
logger.warning("Could not load persistent state:"
3146
" {}".format(os.strerror(e.errno)))
3319
log.warning("Could not load persistent state:"
3320
" %s", os.strerror(e.errno))
3147
3321
else:
3148
logger.critical("Could not load persistent state:",
3149
exc_info=e)
3322
log.critical("Could not load persistent state:",
3323
exc_info=e)
3150
3324
raise
3151
3325
except EOFError as e:
3152
logger.warning("Could not load persistent state: "
3153
"EOFError:",
3154
exc_info=e)
3326
log.warning("Could not load persistent state: EOFError:",
3327
exc_info=e)
3155
3328
3156
3329
with PGPEngine() as pgp:
3157
3330
for client_name, client in clients_data.items():
3184
3357
if client["enabled"]:
3185
3358
if datetime.datetime.utcnow() >= client["expires"]:
3186
3359
if not client["last_checked_ok"]:
3187
logger.warning(
3188
"disabling client {} - Client never "
3189
"performed a successful checker".format(
3190
client_name))
3360
log.warning("disabling client %s - Client"
3361
" never performed a successful"
3362
" checker", client_name)
3191
3363
client["enabled"] = False
3192
3364
elif client["last_checker_status"] != 0:
3193
logger.warning(
3194
"disabling client {} - Client last"
3195
" checker failed with error code"
3196
" {}".format(
3197
client_name,
3198
client["last_checker_status"]))
3365
log.warning("disabling client %s - Client"
3366
" last checker failed with error"
3367
" code %s", client_name,
3368
client["last_checker_status"])
3199
3369
client["enabled"] = False
3200
3370
else:
3201
3371
client["expires"] = (
3202
3372
datetime.datetime.utcnow()
3203
3373
+ client["timeout"])
3204
logger.debug("Last checker succeeded,"
3205
" keeping {} enabled".format(
3206
client_name))
3374
log.debug("Last checker succeeded, keeping %s"
3375
" enabled", client_name)
3207
3376
try:
3208
3377
client["secret"] = pgp.decrypt(
3209
3378
client["encrypted_secret"],
3210
3379
client_settings[client_name]["secret"])
3211
3380
except PGPError:
3212
3381
# If decryption fails, we use secret from new settings
3213
logger.debug("Failed to decrypt {} old secret".format(
3214
client_name))
3382
log.debug("Failed to decrypt %s old secret",
3383
client_name)
3215
3384
client["secret"] = (client_settings[client_name]
3216
3385
["secret"])
3217
3386
3231
3400
server_settings=server_settings)
3232
3401
3233
3402
if not tcp_server.clients:
3234
logger.warning("No clients defined")
3403
log.warning("No clients defined")
3235
3404
3236
3405
if not foreground:
3237
3406
if pidfile is not None:
3240
3409
with pidfile:
3241
3410
print(pid, file=pidfile)
3242
3411
except IOError:
3243
logger.error("Could not write to file %r with PID %d",
3244
pidfilename, pid)
3412
log.error("Could not write to file %r with PID %d",
3413
pidfilename, pid)
3245
3414
del pidfile
3246
3415
del pidfilename
3247
3416
3267
3436
pass
3268
3437
3269
3438
@dbus.service.signal(_interface, signature="ss")
3270
def ClientNotFound(self, fingerprint, address):
3439
def ClientNotFound(self, key_id, address):
3271
3440
"D-Bus signal"
3272
3441
pass
3273
3442
3397
3566
3398
3567
try:
3399
3568
with tempfile.NamedTemporaryFile(
3400
mode='wb',
3569
mode="wb",
3401
3570
suffix=".pickle",
3402
prefix='clients-',
3571
prefix="clients-",
3403
3572
dir=os.path.dirname(stored_state_path),
3404
3573
delete=False) as stored_state:
3405
3574
pickle.dump((clients, client_settings), stored_state,
3413
3582
except NameError:
3414
3583
pass
3415
3584
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
3416
logger.warning("Could not save persistent state: {}"
3417
.format(os.strerror(e.errno)))
3585
log.warning("Could not save persistent state: %s",
3586
os.strerror(e.errno))
3418
3587
else:
3419
logger.warning("Could not save persistent state:",
3420
exc_info=e)
3588
log.warning("Could not save persistent state:",
3589
exc_info=e)
3421
3590
raise
3422
3591
3423
3592
# Delete all clients, and settings from config
3449
3618
if zeroconf:
3450
3619
service.port = tcp_server.socket.getsockname()[1]
3451
3620
if use_ipv6:
3452
logger.info("Now listening on address %r, port %d,"
3453
" flowinfo %d, scope_id %d",
3454
*tcp_server.socket.getsockname())
3621
log.info("Now listening on address %r, port %d, flowinfo %d,"
3622
" scope_id %d", *tcp_server.socket.getsockname())
3455
3623
else: # IPv4
3456
logger.info("Now listening on address %r, port %d",
3457
*tcp_server.socket.getsockname())
3624
log.info("Now listening on address %r, port %d",
3625
*tcp_server.socket.getsockname())
3458
3626
3459
3627
# service.interface = tcp_server.socket.getsockname()[3]
3460
3628
3464
3632
try:
3465
3633
service.activate()
3466
3634
except dbus.exceptions.DBusException as error:
3467
logger.critical("D-Bus Exception", exc_info=error)
3635
log.critical("D-Bus Exception", exc_info=error)
3468
3636
cleanup()
3469
3637
sys.exit(1)
3470
3638
# End of Avahi example code
3471
3639
3472
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3473
lambda *args, **kwargs:
3474
(tcp_server.handle_request
3475
(*args[2:], **kwargs) or True))
3640
GLib.io_add_watch(
3641
GLib.IOChannel.unix_new(tcp_server.fileno()),
3642
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3643
lambda *args, **kwargs: (tcp_server.handle_request
3644
(*args[2:], **kwargs) or True))
3476
3645
3477
logger.debug("Starting main loop")
3646
log.debug("Starting main loop")
3478
3647
main_loop.run()
3479
3648
except AvahiError as error:
3480
logger.critical("Avahi Error", exc_info=error)
3649
log.critical("Avahi Error", exc_info=error)
3481
3650
cleanup()
3482
3651
sys.exit(1)
3483
3652
except KeyboardInterrupt:
3484
3653
if debug:
3485
3654
print("", file=sys.stderr)
3486
logger.debug("Server received KeyboardInterrupt")
3487
logger.debug("Server exiting")
3655
log.debug("Server received KeyboardInterrupt")
3656
log.debug("Server exiting")
3488
3657
# Must run before the D-Bus bus name gets deregistered
3489
3658
cleanup()
3490
3659
3491
3492
if __name__ == '__main__':
3493
main()
3660
3661
def parse_test_args():
3662
# type: () -> argparse.Namespace
3663
parser = argparse.ArgumentParser(add_help=False)
3664
parser.add_argument("--check", action="store_true")
3665
parser.add_argument("--prefix", )
3666
args, unknown_args = parser.parse_known_args()
3667
if args.check:
3668
# Remove test options from sys.argv
3669
sys.argv[1:] = unknown_args
3670
return args
3671
3672
# Add all tests from doctest strings
3673
def load_tests(loader, tests, none):
3674
import doctest
3675
tests.addTests(doctest.DocTestSuite())
3676
return tests
3677
3678
if __name__ == "__main__":
3679
options = parse_test_args()
3680
try:
3681
if options.check:
3682
extra_test_prefix = options.prefix
3683
if extra_test_prefix is not None:
3684
if not (unittest.main(argv=[""], exit=False)
3685
.result.wasSuccessful()):
3686
sys.exit(1)
3687
class ExtraTestLoader(unittest.TestLoader):
3688
testMethodPrefix = extra_test_prefix
3689
# Call using ./scriptname --test [--verbose]
3690
unittest.main(argv=[""], testLoader=ExtraTestLoader())
3691
else:
3692
unittest.main(argv=[""])
3693
else:
3694
main()
3695
finally:
3696
logging.shutdown()
3697
3698
# Local Variables:
3699
# run-tests:
3700
# (lambda (&optional extra)
3701
# (if (not (funcall run-tests-in-test-buffer default-directory
3702
# extra))
3703
# (funcall show-test-buffer-in-test-window)
3704
# (funcall remove-test-window)
3705
# (if extra (message "Extra tests run successfully!"))))
3706
# run-tests-in-test-buffer:
3707
# (lambda (dir &optional extra)
3708
# (with-current-buffer (get-buffer-create "*Test*")
3709
# (setq buffer-read-only nil
3710
# default-directory dir)
3711
# (erase-buffer)
3712
# (compilation-mode))
3713
# (let ((process-result
3714
# (let ((inhibit-read-only t))
3715
# (process-file-shell-command
3716
# (funcall get-command-line extra) nil "*Test*"))))
3717
# (and (numberp process-result)
3718
# (= process-result 0))))
3719
# get-command-line:
3720
# (lambda (&optional extra)
3721
# (let ((quoted-script
3722
# (shell-quote-argument (funcall get-script-name))))
3723
# (format
3724
# (concat "%s --check" (if extra " --prefix=atest" ""))
3725
# quoted-script)))
3726
# get-script-name:
3727
# (lambda ()
3728
# (if (fboundp 'file-local-name)
3729
# (file-local-name (buffer-file-name))
3730
# (or (file-remote-p (buffer-file-name) 'localname)
3731
# (buffer-file-name))))
3732
# remove-test-window:
3733
# (lambda ()
3734
# (let ((test-window (get-buffer-window "*Test*")))
3735
# (if test-window (delete-window test-window))))
3736
# show-test-buffer-in-test-window:
3737
# (lambda ()
3738
# (when (not (get-buffer-window-list "*Test*"))
3739
# (setq next-error-last-buffer (get-buffer "*Test*"))
3740
# (let* ((side (if (>= (window-width) 146) 'right 'bottom))
3741
# (display-buffer-overriding-action
3742
# `((display-buffer-in-side-window) (side . ,side)
3743
# (window-height . fit-window-to-buffer)
3744
# (window-width . fit-window-to-buffer))))
3745
# (display-buffer "*Test*"))))
3746
# eval:
3747
# (progn
3748
# (let* ((run-extra-tests (lambda () (interactive)
3749
# (funcall run-tests t)))
3750
# (inner-keymap `(keymap (116 . ,run-extra-tests))) ; t
3751
# (outer-keymap `(keymap (3 . ,inner-keymap)))) ; C-c
3752
# (setq minor-mode-overriding-map-alist
3753
# (cons `(run-tests . ,outer-keymap)
3754
# minor-mode-overriding-map-alist)))
3755
# (add-hook 'after-save-hook run-tests 90 t))
3756
# End:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0