To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 237.4.80
- compare with another revision
- download diff
- download tarball
- view history from revision 237.4.80
- Committer: Teddy Hogeborn
- Date: 2016-06-23 20:10:40 UTC
- mto: This revision was merged to the branch mainline in revision 861.
- Revision ID: teddy@recompile.se-20160623201040-33k2tpdbnxjqfjcp
Tags: version-1.7.10-1
* Makefile (version): Change to 1.7.10.
* NEWS (Version 1.7.10): Add new entry.
* debian/changelog (1.7.10-1): - '' -
* NEWS (Version 1.7.10): Add new entry.
* debian/changelog (1.7.10-1): - '' -
- files added:
- initramfs-tools-hook-conf
- files removed:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- coding: utf-8; lexical-binding: t -*-
3
#
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
33
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
39
39
except ImportError:
40
40
pass
41
41
42
import sys
43
import unittest
44
import argparse
45
import logging
46
import os
47
42
try:
48
43
import SocketServer as socketserver
49
44
except ImportError:
50
45
import socketserver
51
46
import socket
47
import argparse
52
48
import datetime
53
49
import errno
54
50
try:
55
51
import ConfigParser as configparser
56
52
except ImportError:
57
53
import configparser
54
import sys
58
55
import re
56
import os
59
57
import signal
60
58
import subprocess
61
59
import atexit
62
60
import stat
61
import logging
63
62
import logging.handlers
64
63
import pwd
65
64
import contextlib
77
76
import itertools
78
77
import collections
79
78
import codecs
80
import random
81
import shlex
82
79
83
80
import dbus
84
81
import dbus.service
85
import gi
86
82
from gi.repository import GLib
87
83
from dbus.mainloop.glib import DBusGMainLoop
88
84
import ctypes
90
86
import xml.dom.minidom
91
87
import inspect
92
88
93
if sys.version_info.major == 2:
94
__metaclass__ = type
95
str = unicode
96
input = raw_input
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
89
# Try to find the value of SO_BINDTODEVICE:
119
90
try:
120
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
140
111
# No value found
141
112
SO_BINDTODEVICE = None
142
113
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
114
if sys.version_info.major == 2:
115
str = unicode
145
116
146
version = "1.8.14"
117
version = "1.7.10"
147
118
stored_state_file = "clients.pickle"
148
119
149
log = logging.getLogger(os.path.basename(sys.argv[0]))
150
logging.captureWarnings(True) # Show warnings via the logging system
120
logger = logging.getLogger()
151
121
syslogger = None
152
122
153
123
try:
154
124
if_nametoindex = ctypes.cdll.LoadLibrary(
155
125
ctypes.util.find_library("c")).if_nametoindex
156
126
except (OSError, AttributeError):
157
127
158
128
def if_nametoindex(interface):
159
129
"Get an interface index the hard way, i.e. using fcntl()"
160
130
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
183
153
184
154
def initlogger(debug, level=logging.WARNING):
185
155
"""init logger and add loglevel"""
186
156
187
157
global syslogger
188
158
syslogger = (logging.handlers.SysLogHandler(
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
159
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
160
address = "/dev/log"))
191
161
syslogger.setFormatter(logging.Formatter
192
("Mandos [%(process)d]: %(levelname)s:"
193
" %(message)s"))
194
log.addHandler(syslogger)
195
162
('Mandos [%(process)d]: %(levelname)s:'
163
' %(message)s'))
164
logger.addHandler(syslogger)
165
196
166
if debug:
197
167
console = logging.StreamHandler()
198
console.setFormatter(logging.Formatter("%(asctime)s %(name)s"
199
" [%(process)d]:"
200
" %(levelname)s:"
201
" %(message)s"))
202
log.addHandler(console)
203
log.setLevel(level)
168
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
169
' [%(process)d]:'
170
' %(levelname)s:'
171
' %(message)s'))
172
logger.addHandler(console)
173
logger.setLevel(level)
204
174
205
175
206
176
class PGPError(Exception):
208
178
pass
209
179
210
180
211
class PGPEngine:
181
class PGPEngine(object):
212
182
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
183
214
184
def __init__(self):
215
185
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
186
self.gpg = "gpg"
218
188
output = subprocess.check_output(["gpgconf"])
219
189
for line in output.splitlines():
220
190
name, text, path = line.split(b":")
221
if name == b"gpg":
191
if name == "gpg":
222
192
self.gpg = path
223
193
break
224
194
except OSError as e:
225
195
if e.errno != errno.ENOENT:
226
196
raise
227
self.gnupgargs = ["--batch",
228
"--homedir", self.tempdir,
229
"--force-mdc",
230
"--quiet"]
197
self.gnupgargs = ['--batch',
198
'--homedir', self.tempdir,
199
'--force-mdc',
200
'--quiet']
231
201
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
233
203
self.gnupgargs.append("--no-use-agent")
234
204
235
205
def __enter__(self):
236
206
return self
237
207
238
208
def __exit__(self, exc_type, exc_value, traceback):
239
209
self._cleanup()
240
210
return False
241
211
242
212
def __del__(self):
243
213
self._cleanup()
244
214
245
215
def _cleanup(self):
246
216
if self.tempdir is not None:
247
217
# Delete contents of tempdir
248
218
for root, dirs, files in os.walk(self.tempdir,
249
topdown=False):
219
topdown = False):
250
220
for filename in files:
251
221
os.remove(os.path.join(root, filename))
252
222
for dirname in dirs:
254
224
# Remove tempdir
255
225
os.rmdir(self.tempdir)
256
226
self.tempdir = None
257
227
258
228
def password_encode(self, password):
259
229
# Passphrase can not be empty and can not contain newlines or
260
230
# NUL bytes. So we prefix it and hex encode it.
265
235
.replace(b"\n", b"\\n")
266
236
.replace(b"\0", b"\\x00"))
267
237
return encoded
268
238
269
239
def encrypt(self, data, password):
270
240
passphrase = self.password_encode(password)
271
241
with tempfile.NamedTemporaryFile(
272
242
dir=self.tempdir) as passfile:
273
243
passfile.write(passphrase)
274
244
passfile.flush()
275
proc = subprocess.Popen([self.gpg, "--symmetric",
276
"--passphrase-file",
245
proc = subprocess.Popen([self.gpg, '--symmetric',
246
'--passphrase-file',
277
247
passfile.name]
278
248
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
249
stdin = subprocess.PIPE,
250
stdout = subprocess.PIPE,
251
stderr = subprocess.PIPE)
252
ciphertext, err = proc.communicate(input = data)
283
253
if proc.returncode != 0:
284
254
raise PGPError(err)
285
255
return ciphertext
286
256
287
257
def decrypt(self, data, password):
288
258
passphrase = self.password_encode(password)
289
259
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
260
dir = self.tempdir) as passfile:
291
261
passfile.write(passphrase)
292
262
passfile.flush()
293
proc = subprocess.Popen([self.gpg, "--decrypt",
294
"--passphrase-file",
263
proc = subprocess.Popen([self.gpg, '--decrypt',
264
'--passphrase-file',
295
265
passfile.name]
296
266
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
267
stdin = subprocess.PIPE,
268
stdout = subprocess.PIPE,
269
stderr = subprocess.PIPE)
270
decrypted_plaintext, err = proc.communicate(input = data)
301
271
if proc.returncode != 0:
302
272
raise PGPError(err)
303
273
return decrypted_plaintext
304
274
305
306
275
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
276
class Avahi(object):
277
"""This isn't so much a class as it is a module-like namespace.
278
It is instantiated once, and simulates having an Avahi module."""
279
IF_UNSPEC = -1 # avahi-common/address.h
280
PROTO_UNSPEC = -1 # avahi-common/address.h
281
PROTO_INET = 0 # avahi-common/address.h
282
PROTO_INET6 = 1 # avahi-common/address.h
313
283
DBUS_NAME = "org.freedesktop.Avahi"
314
284
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
285
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
286
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
287
def string_array_to_txt_array(self, t):
320
288
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
289
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
290
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
291
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
292
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
293
SERVER_INVALID = 0 # avahi-common/defs.h
294
SERVER_REGISTERING = 1 # avahi-common/defs.h
295
SERVER_RUNNING = 2 # avahi-common/defs.h
296
SERVER_COLLISION = 3 # avahi-common/defs.h
297
SERVER_FAILURE = 4 # avahi-common/defs.h
298
avahi = Avahi()
331
299
332
300
class AvahiError(Exception):
333
301
def __init__(self, value, *args, **kwargs):
344
312
pass
345
313
346
314
347
class AvahiService:
315
class AvahiService(object):
348
316
"""An Avahi (Zeroconf) service.
349
317
350
318
Attributes:
351
319
interface: integer; avahi.IF_UNSPEC or an interface index.
352
320
Used to optionally bind to the specified interface.
353
name: string; Example: "Mandos"
354
type: string; Example: "_mandos._tcp".
321
name: string; Example: 'Mandos'
322
type: string; Example: '_mandos._tcp'.
355
323
See <https://www.iana.org/assignments/service-names-port-numbers>
356
324
port: integer; what port to announce
357
325
TXT: list of strings; TXT record for the service
364
332
server: D-Bus Server
365
333
bus: dbus.SystemBus()
366
334
"""
367
335
368
336
def __init__(self,
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
337
interface = avahi.IF_UNSPEC,
338
name = None,
339
servicetype = None,
340
port = None,
341
TXT = None,
342
domain = "",
343
host = "",
344
max_renames = 32768,
345
protocol = avahi.PROTO_UNSPEC,
346
bus = None):
379
347
self.interface = interface
380
348
self.name = name
381
349
self.type = servicetype
390
358
self.server = None
391
359
self.bus = bus
392
360
self.entry_group_state_changed_match = None
393
361
394
362
def rename(self, remove=True):
395
363
"""Derived from the Avahi example code"""
396
364
if self.rename_count >= self.max_renames:
397
log.critical("No suitable Zeroconf service name found"
398
" after %i retries, exiting.",
399
self.rename_count)
365
logger.critical("No suitable Zeroconf service name found"
366
" after %i retries, exiting.",
367
self.rename_count)
400
368
raise AvahiServiceError("Too many renames")
401
369
self.name = str(
402
370
self.server.GetAlternativeServiceName(self.name))
403
371
self.rename_count += 1
404
log.info("Changing Zeroconf service name to %r ...",
405
self.name)
372
logger.info("Changing Zeroconf service name to %r ...",
373
self.name)
406
374
if remove:
407
375
self.remove()
408
376
try:
410
378
except dbus.exceptions.DBusException as error:
411
379
if (error.get_dbus_name()
412
380
== "org.freedesktop.Avahi.CollisionError"):
413
log.info("Local Zeroconf service name collision.")
381
logger.info("Local Zeroconf service name collision.")
414
382
return self.rename(remove=False)
415
383
else:
416
log.critical("D-Bus Exception", exc_info=error)
384
logger.critical("D-Bus Exception", exc_info=error)
417
385
self.cleanup()
418
386
os._exit(1)
419
387
420
388
def remove(self):
421
389
"""Derived from the Avahi example code"""
422
390
if self.entry_group_state_changed_match is not None:
424
392
self.entry_group_state_changed_match = None
425
393
if self.group is not None:
426
394
self.group.Reset()
427
395
428
396
def add(self):
429
397
"""Derived from the Avahi example code"""
430
398
self.remove()
435
403
avahi.DBUS_INTERFACE_ENTRY_GROUP)
436
404
self.entry_group_state_changed_match = (
437
405
self.group.connect_to_signal(
438
"StateChanged", self.entry_group_state_changed))
439
log.debug("Adding Zeroconf service '%s' of type '%s' ...",
440
self.name, self.type)
406
'StateChanged', self.entry_group_state_changed))
407
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
408
self.name, self.type)
441
409
self.group.AddService(
442
410
self.interface,
443
411
self.protocol,
447
415
dbus.UInt16(self.port),
448
416
avahi.string_array_to_txt_array(self.TXT))
449
417
self.group.Commit()
450
418
451
419
def entry_group_state_changed(self, state, error):
452
420
"""Derived from the Avahi example code"""
453
log.debug("Avahi entry group state change: %i", state)
454
421
logger.debug("Avahi entry group state change: %i", state)
422
455
423
if state == avahi.ENTRY_GROUP_ESTABLISHED:
456
log.debug("Zeroconf service established.")
424
logger.debug("Zeroconf service established.")
457
425
elif state == avahi.ENTRY_GROUP_COLLISION:
458
log.info("Zeroconf service name collision.")
426
logger.info("Zeroconf service name collision.")
459
427
self.rename()
460
428
elif state == avahi.ENTRY_GROUP_FAILURE:
461
log.critical("Avahi: Error in group state changed %s",
462
str(error))
429
logger.critical("Avahi: Error in group state changed %s",
430
str(error))
463
431
raise AvahiGroupError("State changed: {!s}".format(error))
464
432
465
433
def cleanup(self):
466
434
"""Derived from the Avahi example code"""
467
435
if self.group is not None:
472
440
pass
473
441
self.group = None
474
442
self.remove()
475
443
476
444
def server_state_changed(self, state, error=None):
477
445
"""Derived from the Avahi example code"""
478
log.debug("Avahi server state change: %i", state)
446
logger.debug("Avahi server state change: %i", state)
479
447
bad_states = {
480
448
avahi.SERVER_INVALID: "Zeroconf server invalid",
481
449
avahi.SERVER_REGISTERING: None,
485
453
if state in bad_states:
486
454
if bad_states[state] is not None:
487
455
if error is None:
488
log.error(bad_states[state])
456
logger.error(bad_states[state])
489
457
else:
490
log.error(bad_states[state] + ": %r", error)
458
logger.error(bad_states[state] + ": %r", error)
491
459
self.cleanup()
492
460
elif state == avahi.SERVER_RUNNING:
493
461
try:
495
463
except dbus.exceptions.DBusException as error:
496
464
if (error.get_dbus_name()
497
465
== "org.freedesktop.Avahi.CollisionError"):
498
log.info("Local Zeroconf service name collision.")
466
logger.info("Local Zeroconf service name"
467
" collision.")
499
468
return self.rename(remove=False)
500
469
else:
501
log.critical("D-Bus Exception", exc_info=error)
470
logger.critical("D-Bus Exception", exc_info=error)
502
471
self.cleanup()
503
472
os._exit(1)
504
473
else:
505
474
if error is None:
506
log.debug("Unknown state: %r", state)
475
logger.debug("Unknown state: %r", state)
507
476
else:
508
log.debug("Unknown state: %r: %r", state, error)
509
477
logger.debug("Unknown state: %r: %r", state, error)
478
510
479
def activate(self):
511
480
"""Derived from the Avahi example code"""
512
481
if self.server is None:
523
492
class AvahiServiceToSyslog(AvahiService):
524
493
def rename(self, *args, **kwargs):
525
494
"""Add the new name to the syslog messages"""
526
ret = super(AvahiServiceToSyslog, self).rename(*args,
527
**kwargs)
495
ret = AvahiService.rename(self, *args, **kwargs)
528
496
syslogger.setFormatter(logging.Formatter(
529
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
497
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
498
.format(self.name)))
531
499
return ret
532
500
533
534
501
# Pretend that we have a GnuTLS module
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
537
538
library = ctypes.util.find_library("gnutls")
539
if library is None:
540
library = ctypes.util.find_library("gnutls-deb0")
541
_library = ctypes.cdll.LoadLibrary(library)
542
del library
543
502
class GnuTLS(object):
503
"""This isn't so much a class as it is a module-like namespace.
504
It is instantiated once, and simulates having a GnuTLS module."""
505
506
_library = ctypes.cdll.LoadLibrary(
507
ctypes.util.find_library("gnutls"))
508
_need_version = b"3.3.0"
509
def __init__(self):
510
# Need to use class name "GnuTLS" here, since this method is
511
# called before the assignment to the "gnutls" global variable
512
# happens.
513
if GnuTLS.check_version(self._need_version) is None:
514
raise GnuTLS.Error("Needs GnuTLS {} or later"
515
.format(self._need_version))
516
544
517
# Unless otherwise indicated, the constants and types below are
545
518
# all from the gnutls/gnutls.h C header file.
546
519
547
520
# Constants
548
521
E_SUCCESS = 0
549
522
E_INTERRUPTED = -52
550
523
E_AGAIN = -28
551
524
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
553
525
CLIENT = 2
554
526
SHUT_RDWR = 0
555
527
CRD_CERTIFICATE = 1
556
528
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
562
529
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
563
530
564
531
# Types
565
class _session_int(ctypes.Structure):
532
class session_int(ctypes.Structure):
566
533
_fields_ = []
567
session_t = ctypes.POINTER(_session_int)
568
534
session_t = ctypes.POINTER(session_int)
569
535
class certificate_credentials_st(ctypes.Structure):
570
536
_fields_ = []
571
537
certificate_credentials_t = ctypes.POINTER(
572
538
certificate_credentials_st)
573
539
certificate_type_t = ctypes.c_int
574
575
540
class datum_t(ctypes.Structure):
576
_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),
577
("size", ctypes.c_uint)]
578
579
class _openpgp_crt_int(ctypes.Structure):
541
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
542
('size', ctypes.c_uint)]
543
class openpgp_crt_int(ctypes.Structure):
580
544
_fields_ = []
581
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
545
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
546
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
583
547
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
584
548
credentials_type_t = ctypes.c_int
585
549
transport_ptr_t = ctypes.c_void_p
586
550
close_request_t = ctypes.c_int
587
551
588
552
# Exceptions
589
553
class Error(Exception):
590
def __init__(self, message=None, code=None, args=()):
554
# We need to use the class name "GnuTLS" here, since this
555
# exception might be raised from within GnuTLS.__init__,
556
# which is called before the assignment to the "gnutls"
557
# global variable has happened.
558
def __init__(self, message = None, code = None, args=()):
591
559
# Default usage is by a message string, but if a return
592
560
# code is passed, convert it to a string with
593
561
# gnutls.strerror()
594
562
self.code = code
595
563
if message is None and code is not None:
596
message = gnutls.strerror(code).decode(
597
"utf-8", errors="replace")
598
return super(gnutls.Error, self).__init__(
564
message = GnuTLS.strerror(code)
565
return super(GnuTLS.Error, self).__init__(
599
566
message, *args)
600
567
601
568
class CertificateSecurityError(Error):
602
569
pass
603
604
class PointerTo:
605
def __init__(self, cls):
606
self.cls = cls
607
608
def from_param(self, obj):
609
if not isinstance(obj, self.cls):
610
raise TypeError("Not of type {}: {!r}"
611
.format(self.cls.__name__, obj))
612
return ctypes.byref(obj.from_param(obj))
613
614
class CastToVoidPointer:
615
def __init__(self, cls):
616
self.cls = cls
617
618
def from_param(self, obj):
619
if not isinstance(obj, self.cls):
620
raise TypeError("Not of type {}: {!r}"
621
.format(self.cls.__name__, obj))
622
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
623
624
class With_from_param:
625
@classmethod
626
def from_param(cls, obj):
627
return obj._as_parameter_
628
570
629
571
# Classes
630
class Credentials(With_from_param):
572
class Credentials(object):
631
573
def __init__(self):
632
self._as_parameter_ = gnutls.certificate_credentials_t()
633
gnutls.certificate_allocate_credentials(self)
574
self._c_object = gnutls.certificate_credentials_t()
575
gnutls.certificate_allocate_credentials(
576
ctypes.byref(self._c_object))
634
577
self.type = gnutls.CRD_CERTIFICATE
635
578
636
579
def __del__(self):
637
gnutls.certificate_free_credentials(self)
638
639
class ClientSession(With_from_param):
640
def __init__(self, socket, credentials=None):
641
self._as_parameter_ = gnutls.session_t()
642
gnutls_flags = gnutls.CLIENT
643
if gnutls.check_version(b"3.5.6"):
644
gnutls_flags |= gnutls.NO_TICKETS
645
if gnutls.has_rawpk:
646
gnutls_flags |= gnutls.ENABLE_RAWPK
647
gnutls.init(self, gnutls_flags)
648
del gnutls_flags
649
gnutls.set_default_priority(self)
650
gnutls.transport_set_ptr(self, socket.fileno())
651
gnutls.handshake_set_private_extensions(self, True)
580
gnutls.certificate_free_credentials(self._c_object)
581
582
class ClientSession(object):
583
def __init__(self, socket, credentials = None):
584
self._c_object = gnutls.session_t()
585
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
586
gnutls.set_default_priority(self._c_object)
587
gnutls.transport_set_ptr(self._c_object, socket.fileno())
588
gnutls.handshake_set_private_extensions(self._c_object,
589
True)
652
590
self.socket = socket
653
591
if credentials is None:
654
592
credentials = gnutls.Credentials()
655
gnutls.credentials_set(self, credentials.type,
656
credentials)
593
gnutls.credentials_set(self._c_object, credentials.type,
594
ctypes.cast(credentials._c_object,
595
ctypes.c_void_p))
657
596
self.credentials = credentials
658
597
659
598
def __del__(self):
660
gnutls.deinit(self)
661
599
gnutls.deinit(self._c_object)
600
662
601
def handshake(self):
663
return gnutls.handshake(self)
664
602
return gnutls.handshake(self._c_object)
603
665
604
def send(self, data):
666
605
data = bytes(data)
667
606
data_len = len(data)
668
607
while data_len > 0:
669
data_len -= gnutls.record_send(self, data[-data_len:],
608
data_len -= gnutls.record_send(self._c_object,
609
data[-data_len:],
670
610
data_len)
671
611
672
612
def bye(self):
673
return gnutls.bye(self, gnutls.SHUT_RDWR)
674
613
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
614
675
615
# Error handling functions
676
616
def _error_code(result):
677
617
"""A function to raise exceptions on errors, suitable
678
for the "restype" attribute on ctypes functions"""
679
if result >= gnutls.E_SUCCESS:
618
for the 'restype' attribute on ctypes functions"""
619
if result >= 0:
680
620
return result
681
621
if result == gnutls.E_NO_CERTIFICATE_FOUND:
682
raise gnutls.CertificateSecurityError(code=result)
683
raise gnutls.Error(code=result)
684
685
def _retry_on_error(result, func, arguments,
686
_error_code=_error_code):
622
raise gnutls.CertificateSecurityError(code = result)
623
raise gnutls.Error(code = result)
624
625
def _retry_on_error(result, func, arguments):
687
626
"""A function to retry on some errors, suitable
688
for the "errcheck" attribute on ctypes functions"""
689
while result < gnutls.E_SUCCESS:
627
for the 'errcheck' attribute on ctypes functions"""
628
while result < 0:
690
629
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
691
630
return _error_code(result)
692
631
result = func(*arguments)
693
632
return result
694
633
695
634
# Unless otherwise indicated, the function declarations below are
696
635
# all from the gnutls/gnutls.h C header file.
697
636
698
637
# Functions
699
638
priority_set_direct = _library.gnutls_priority_set_direct
700
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
639
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
701
640
ctypes.POINTER(ctypes.c_char_p)]
702
641
priority_set_direct.restype = _error_code
703
642
704
643
init = _library.gnutls_init
705
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
644
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
706
645
init.restype = _error_code
707
646
708
647
set_default_priority = _library.gnutls_set_default_priority
709
set_default_priority.argtypes = [ClientSession]
648
set_default_priority.argtypes = [session_t]
710
649
set_default_priority.restype = _error_code
711
650
712
651
record_send = _library.gnutls_record_send
713
record_send.argtypes = [ClientSession, ctypes.c_void_p,
652
record_send.argtypes = [session_t, ctypes.c_void_p,
714
653
ctypes.c_size_t]
715
654
record_send.restype = ctypes.c_ssize_t
716
655
record_send.errcheck = _retry_on_error
717
656
718
657
certificate_allocate_credentials = (
719
658
_library.gnutls_certificate_allocate_credentials)
720
659
certificate_allocate_credentials.argtypes = [
721
PointerTo(Credentials)]
660
ctypes.POINTER(certificate_credentials_t)]
722
661
certificate_allocate_credentials.restype = _error_code
723
662
724
663
certificate_free_credentials = (
725
664
_library.gnutls_certificate_free_credentials)
726
certificate_free_credentials.argtypes = [Credentials]
665
certificate_free_credentials.argtypes = [certificate_credentials_t]
727
666
certificate_free_credentials.restype = None
728
667
729
668
handshake_set_private_extensions = (
730
669
_library.gnutls_handshake_set_private_extensions)
731
handshake_set_private_extensions.argtypes = [ClientSession,
670
handshake_set_private_extensions.argtypes = [session_t,
732
671
ctypes.c_int]
733
672
handshake_set_private_extensions.restype = None
734
673
735
674
credentials_set = _library.gnutls_credentials_set
736
credentials_set.argtypes = [ClientSession, credentials_type_t,
737
CastToVoidPointer(Credentials)]
675
credentials_set.argtypes = [session_t, credentials_type_t,
676
ctypes.c_void_p]
738
677
credentials_set.restype = _error_code
739
678
740
679
strerror = _library.gnutls_strerror
741
680
strerror.argtypes = [ctypes.c_int]
742
681
strerror.restype = ctypes.c_char_p
743
682
744
683
certificate_type_get = _library.gnutls_certificate_type_get
745
certificate_type_get.argtypes = [ClientSession]
684
certificate_type_get.argtypes = [session_t]
746
685
certificate_type_get.restype = _error_code
747
686
748
687
certificate_get_peers = _library.gnutls_certificate_get_peers
749
certificate_get_peers.argtypes = [ClientSession,
688
certificate_get_peers.argtypes = [session_t,
750
689
ctypes.POINTER(ctypes.c_uint)]
751
690
certificate_get_peers.restype = ctypes.POINTER(datum_t)
752
691
753
692
global_set_log_level = _library.gnutls_global_set_log_level
754
693
global_set_log_level.argtypes = [ctypes.c_int]
755
694
global_set_log_level.restype = None
756
695
757
696
global_set_log_function = _library.gnutls_global_set_log_function
758
697
global_set_log_function.argtypes = [log_func]
759
698
global_set_log_function.restype = None
760
699
761
700
deinit = _library.gnutls_deinit
762
deinit.argtypes = [ClientSession]
701
deinit.argtypes = [session_t]
763
702
deinit.restype = None
764
703
765
704
handshake = _library.gnutls_handshake
766
handshake.argtypes = [ClientSession]
767
handshake.restype = ctypes.c_int
705
handshake.argtypes = [session_t]
706
handshake.restype = _error_code
768
707
handshake.errcheck = _retry_on_error
769
708
770
709
transport_set_ptr = _library.gnutls_transport_set_ptr
771
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
710
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
772
711
transport_set_ptr.restype = None
773
712
774
713
bye = _library.gnutls_bye
775
bye.argtypes = [ClientSession, close_request_t]
776
bye.restype = ctypes.c_int
714
bye.argtypes = [session_t, close_request_t]
715
bye.restype = _error_code
777
716
bye.errcheck = _retry_on_error
778
717
779
718
check_version = _library.gnutls_check_version
780
719
check_version.argtypes = [ctypes.c_char_p]
781
720
check_version.restype = ctypes.c_char_p
782
783
_need_version = b"3.3.0"
784
if check_version(_need_version) is None:
785
raise self.Error("Needs GnuTLS {} or later"
786
.format(_need_version))
787
788
_tls_rawpk_version = b"3.6.6"
789
has_rawpk = bool(check_version(_tls_rawpk_version))
790
791
if has_rawpk:
792
# Types
793
class pubkey_st(ctypes.Structure):
794
_fields = []
795
pubkey_t = ctypes.POINTER(pubkey_st)
796
797
x509_crt_fmt_t = ctypes.c_int
798
799
# All the function declarations below are from
800
# gnutls/abstract.h
801
pubkey_init = _library.gnutls_pubkey_init
802
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
803
pubkey_init.restype = _error_code
804
805
pubkey_import = _library.gnutls_pubkey_import
806
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
807
x509_crt_fmt_t]
808
pubkey_import.restype = _error_code
809
810
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
811
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
812
ctypes.POINTER(ctypes.c_ubyte),
813
ctypes.POINTER(ctypes.c_size_t)]
814
pubkey_get_key_id.restype = _error_code
815
816
pubkey_deinit = _library.gnutls_pubkey_deinit
817
pubkey_deinit.argtypes = [pubkey_t]
818
pubkey_deinit.restype = None
819
else:
820
# All the function declarations below are from
821
# gnutls/openpgp.h
822
823
openpgp_crt_init = _library.gnutls_openpgp_crt_init
824
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
825
openpgp_crt_init.restype = _error_code
826
827
openpgp_crt_import = _library.gnutls_openpgp_crt_import
828
openpgp_crt_import.argtypes = [openpgp_crt_t,
829
ctypes.POINTER(datum_t),
830
openpgp_crt_fmt_t]
831
openpgp_crt_import.restype = _error_code
832
833
openpgp_crt_verify_self = \
834
_library.gnutls_openpgp_crt_verify_self
835
openpgp_crt_verify_self.argtypes = [
836
openpgp_crt_t,
837
ctypes.c_uint,
838
ctypes.POINTER(ctypes.c_uint),
839
]
840
openpgp_crt_verify_self.restype = _error_code
841
842
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
843
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
844
openpgp_crt_deinit.restype = None
845
846
openpgp_crt_get_fingerprint = (
847
_library.gnutls_openpgp_crt_get_fingerprint)
848
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
849
ctypes.c_void_p,
850
ctypes.POINTER(
851
ctypes.c_size_t)]
852
openpgp_crt_get_fingerprint.restype = _error_code
853
854
if check_version(b"3.6.4"):
855
certificate_type_get2 = _library.gnutls_certificate_type_get2
856
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
857
certificate_type_get2.restype = _error_code
858
721
722
# All the function declarations below are from gnutls/openpgp.h
723
724
openpgp_crt_init = _library.gnutls_openpgp_crt_init
725
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
726
openpgp_crt_init.restype = _error_code
727
728
openpgp_crt_import = _library.gnutls_openpgp_crt_import
729
openpgp_crt_import.argtypes = [openpgp_crt_t,
730
ctypes.POINTER(datum_t),
731
openpgp_crt_fmt_t]
732
openpgp_crt_import.restype = _error_code
733
734
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
735
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
736
ctypes.POINTER(ctypes.c_uint)]
737
openpgp_crt_verify_self.restype = _error_code
738
739
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
740
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
741
openpgp_crt_deinit.restype = None
742
743
openpgp_crt_get_fingerprint = (
744
_library.gnutls_openpgp_crt_get_fingerprint)
745
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
746
ctypes.c_void_p,
747
ctypes.POINTER(
748
ctypes.c_size_t)]
749
openpgp_crt_get_fingerprint.restype = _error_code
750
859
751
# Remove non-public functions
860
752
del _error_code, _retry_on_error
861
753
# Create the global "gnutls" object, simulating a module
754
gnutls = GnuTLS()
862
755
863
756
def call_pipe(connection, # : multiprocessing.Connection
864
757
func, *args, **kwargs):
865
758
"""This function is meant to be called by multiprocessing.Process
866
759
867
760
This function runs func(*args, **kwargs), and writes the resulting
868
761
return value on the provided multiprocessing.Connection.
869
762
"""
870
763
connection.send(func(*args, **kwargs))
871
764
connection.close()
872
765
873
874
class Client:
766
class Client(object):
875
767
"""A representation of a client host served by this server.
876
768
877
769
Attributes:
878
approved: bool(); None if not yet approved/disapproved
770
approved: bool(); 'None' if not yet approved/disapproved
879
771
approval_delay: datetime.timedelta(); Time to wait for approval
880
772
approval_duration: datetime.timedelta(); Duration of one approval
881
checker: multiprocessing.Process(); a running checker process used
882
to see if the client lives. None if no process is
883
running.
773
checker: subprocess.Popen(); a running checker process used
774
to see if the client lives.
775
'None' if no process is running.
884
776
checker_callback_tag: a GLib event source tag, or None
885
777
checker_command: string; External command which is run to check
886
778
if client lives. %() expansions are done at
894
786
disable_initiator_tag: a GLib event source tag, or None
895
787
enabled: bool()
896
788
fingerprint: string (40 or 32 hexadecimal digits); used to
897
uniquely identify an OpenPGP client
898
key_id: string (64 hexadecimal digits); used to uniquely identify
899
a client using raw public keys
789
uniquely identify the client
900
790
host: string; available for use by the checker command
901
791
interval: datetime.timedelta(); How often to start a new checker
902
792
last_approval_request: datetime.datetime(); (UTC) or None
918
808
disabled, or None
919
809
server_settings: The server_settings dict from main()
920
810
"""
921
811
922
812
runtime_expansions = ("approval_delay", "approval_duration",
923
"created", "enabled", "expires", "key_id",
813
"created", "enabled", "expires",
924
814
"fingerprint", "host", "interval",
925
815
"last_approval_request", "last_checked_ok",
926
816
"last_enabled", "name", "timeout")
935
825
"approved_by_default": "True",
936
826
"enabled": "True",
937
827
}
938
828
939
829
@staticmethod
940
830
def config_parser(config):
941
831
"""Construct a new dict of client settings of this form:
948
838
for client_name in config.sections():
949
839
section = dict(config.items(client_name))
950
840
client = settings[client_name] = {}
951
841
952
842
client["host"] = section["host"]
953
843
# Reformat values from string types to Python types
954
844
client["approved_by_default"] = config.getboolean(
955
845
client_name, "approved_by_default")
956
846
client["enabled"] = config.getboolean(client_name,
957
847
"enabled")
958
959
# Uppercase and remove spaces from key_id and fingerprint
960
# for later comparison purposes with return value from the
961
# key_id() and fingerprint() functions
962
client["key_id"] = (section.get("key_id", "").upper()
963
.replace(" ", ""))
848
849
# Uppercase and remove spaces from fingerprint for later
850
# comparison purposes with return value from the
851
# fingerprint() function
964
852
client["fingerprint"] = (section["fingerprint"].upper()
965
853
.replace(" ", ""))
966
854
if "secret" in section:
987
875
client["last_approval_request"] = None
988
876
client["last_checked_ok"] = None
989
877
client["last_checker_status"] = -2
990
878
991
879
return settings
992
993
def __init__(self, settings, name=None, server_settings=None):
880
881
def __init__(self, settings, name = None, server_settings=None):
994
882
self.name = name
995
883
if server_settings is None:
996
884
server_settings = {}
998
886
# adding all client settings
999
887
for setting, value in settings.items():
1000
888
setattr(self, setting, value)
1001
889
1002
890
if self.enabled:
1003
891
if not hasattr(self, "last_enabled"):
1004
892
self.last_enabled = datetime.datetime.utcnow()
1008
896
else:
1009
897
self.last_enabled = None
1010
898
self.expires = None
1011
1012
log.debug("Creating client %r", self.name)
1013
log.debug(" Key ID: %s", self.key_id)
1014
log.debug(" Fingerprint: %s", self.fingerprint)
899
900
logger.debug("Creating client %r", self.name)
901
logger.debug(" Fingerprint: %s", self.fingerprint)
1015
902
self.created = settings.get("created",
1016
903
datetime.datetime.utcnow())
1017
904
1018
905
# attributes specific for this server instance
1019
906
self.checker = None
1020
907
self.checker_initiator_tag = None
1029
916
for attr in self.__dict__.keys()
1030
917
if not attr.startswith("_")]
1031
918
self.client_structure.append("client_structure")
1032
919
1033
920
for name, t in inspect.getmembers(
1034
921
type(self), lambda obj: isinstance(obj, property)):
1035
922
if not name.startswith("_"):
1036
923
self.client_structure.append(name)
1037
924
1038
925
# Send notice to process children that client state has changed
1039
926
def send_changedstate(self):
1040
927
with self.changedstate:
1041
928
self.changedstate.notify_all()
1042
929
1043
930
def enable(self):
1044
931
"""Start this client's checker and timeout hooks"""
1045
932
if getattr(self, "enabled", False):
1050
937
self.last_enabled = datetime.datetime.utcnow()
1051
938
self.init_checker()
1052
939
self.send_changedstate()
1053
940
1054
941
def disable(self, quiet=True):
1055
942
"""Disable this client."""
1056
943
if not getattr(self, "enabled", False):
1057
944
return False
1058
945
if not quiet:
1059
log.info("Disabling client %s", self.name)
946
logger.info("Disabling client %s", self.name)
1060
947
if getattr(self, "disable_initiator_tag", None) is not None:
1061
948
GLib.source_remove(self.disable_initiator_tag)
1062
949
self.disable_initiator_tag = None
1070
957
self.send_changedstate()
1071
958
# Do not run this again if called by a GLib.timeout_add
1072
959
return False
1073
960
1074
961
def __del__(self):
1075
962
self.disable()
1076
963
1077
964
def init_checker(self):
1078
965
# Schedule a new checker to be started an 'interval' from now,
1079
966
# and every interval from then on.
1080
967
if self.checker_initiator_tag is not None:
1081
968
GLib.source_remove(self.checker_initiator_tag)
1082
969
self.checker_initiator_tag = GLib.timeout_add(
1083
random.randrange(int(self.interval.total_seconds() * 1000
1084
+ 1)),
970
int(self.interval.total_seconds() * 1000),
1085
971
self.start_checker)
1086
972
# Schedule a disable() when 'timeout' has passed
1087
973
if self.disable_initiator_tag is not None:
1090
976
int(self.timeout.total_seconds() * 1000), self.disable)
1091
977
# Also start a new checker *right now*.
1092
978
self.start_checker()
1093
979
1094
980
def checker_callback(self, source, condition, connection,
1095
981
command):
1096
982
"""The checker has completed, so take appropriate actions."""
983
self.checker_callback_tag = None
984
self.checker = None
1097
985
# Read return code from connection (see call_pipe)
1098
986
returncode = connection.recv()
1099
987
connection.close()
1100
if self.checker is not None:
1101
self.checker.join()
1102
self.checker_callback_tag = None
1103
self.checker = None
1104
988
1105
989
if returncode >= 0:
1106
990
self.last_checker_status = returncode
1107
991
self.last_checker_signal = None
1108
992
if self.last_checker_status == 0:
1109
log.info("Checker for %(name)s succeeded", vars(self))
993
logger.info("Checker for %(name)s succeeded",
994
vars(self))
1110
995
self.checked_ok()
1111
996
else:
1112
log.info("Checker for %(name)s failed", vars(self))
997
logger.info("Checker for %(name)s failed", vars(self))
1113
998
else:
1114
999
self.last_checker_status = -1
1115
1000
self.last_checker_signal = -returncode
1116
log.warning("Checker for %(name)s crashed?", vars(self))
1001
logger.warning("Checker for %(name)s crashed?",
1002
vars(self))
1117
1003
return False
1118
1004
1119
1005
def checked_ok(self):
1120
1006
"""Assert that the client has been seen, alive and well."""
1121
1007
self.last_checked_ok = datetime.datetime.utcnow()
1122
1008
self.last_checker_status = 0
1123
1009
self.last_checker_signal = None
1124
1010
self.bump_timeout()
1125
1011
1126
1012
def bump_timeout(self, timeout=None):
1127
1013
"""Bump up the timeout for this client."""
1128
1014
if timeout is None:
1134
1020
self.disable_initiator_tag = GLib.timeout_add(
1135
1021
int(timeout.total_seconds() * 1000), self.disable)
1136
1022
self.expires = datetime.datetime.utcnow() + timeout
1137
1023
1138
1024
def need_approval(self):
1139
1025
self.last_approval_request = datetime.datetime.utcnow()
1140
1026
1141
1027
def start_checker(self):
1142
1028
"""Start a new checker subprocess if one is not running.
1143
1029
1144
1030
If a checker already exists, leave it running and do
1145
1031
nothing."""
1146
1032
# The reason for not killing a running checker is that if we
1151
1037
# checkers alone, the checker would have to take more time
1152
1038
# than 'timeout' for the client to be disabled, which is as it
1153
1039
# should be.
1154
1040
1155
1041
if self.checker is not None and not self.checker.is_alive():
1156
log.warning("Checker was not alive; joining")
1042
logger.warning("Checker was not alive; joining")
1157
1043
self.checker.join()
1158
1044
self.checker = None
1159
1045
# Start a new checker if needed
1160
1046
if self.checker is None:
1161
1047
# Escape attributes for the shell
1162
1048
escaped_attrs = {
1163
attr: shlex.quote(str(getattr(self, attr)))
1164
for attr in self.runtime_expansions}
1049
attr: re.escape(str(getattr(self, attr)))
1050
for attr in self.runtime_expansions }
1165
1051
try:
1166
1052
command = self.checker_command % escaped_attrs
1167
1053
except TypeError as error:
1168
log.error('Could not format string "%s"',
1169
self.checker_command, exc_info=error)
1054
logger.error('Could not format string "%s"',
1055
self.checker_command,
1056
exc_info=error)
1170
1057
return True # Try again later
1171
1058
self.current_checker_command = command
1172
log.info("Starting checker %r for %s", command, self.name)
1059
logger.info("Starting checker %r for %s", command,
1060
self.name)
1173
1061
# We don't need to redirect stdout and stderr, since
1174
1062
# in normal mode, that is already done by daemon(),
1175
1063
# and in debug mode we don't want to. (Stdin is
1177
1065
# The exception is when not debugging but nevertheless
1178
1066
# running in the foreground; use the previously
1179
1067
# created wnull.
1180
popen_args = {"close_fds": True,
1181
"shell": True,
1182
"cwd": "/"}
1068
popen_args = { "close_fds": True,
1069
"shell": True,
1070
"cwd": "/" }
1183
1071
if (not self.server_settings["debug"]
1184
1072
and self.server_settings["foreground"]):
1185
1073
popen_args.update({"stdout": wnull,
1186
"stderr": wnull})
1187
pipe = multiprocessing.Pipe(duplex=False)
1074
"stderr": wnull })
1075
pipe = multiprocessing.Pipe(duplex = False)
1188
1076
self.checker = multiprocessing.Process(
1189
target=call_pipe,
1190
args=(pipe[1], subprocess.call, command),
1191
kwargs=popen_args)
1077
target = call_pipe,
1078
args = (pipe[1], subprocess.call, command),
1079
kwargs = popen_args)
1192
1080
self.checker.start()
1193
1081
self.checker_callback_tag = GLib.io_add_watch(
1194
GLib.IOChannel.unix_new(pipe[0].fileno()),
1195
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1082
pipe[0].fileno(), GLib.IO_IN,
1196
1083
self.checker_callback, pipe[0], command)
1197
1084
# Re-run this periodically if run by GLib.timeout_add
1198
1085
return True
1199
1086
1200
1087
def stop_checker(self):
1201
1088
"""Force the checker process, if any, to stop."""
1202
1089
if self.checker_callback_tag:
1204
1091
self.checker_callback_tag = None
1205
1092
if getattr(self, "checker", None) is None:
1206
1093
return
1207
log.debug("Stopping checker for %(name)s", vars(self))
1094
logger.debug("Stopping checker for %(name)s", vars(self))
1208
1095
self.checker.terminate()
1209
1096
self.checker = None
1210
1097
1215
1102
byte_arrays=False):
1216
1103
"""Decorators for marking methods of a DBusObjectWithProperties to
1217
1104
become properties on the D-Bus.
1218
1105
1219
1106
The decorated method will be called with no arguments by "Get"
1220
1107
and with one argument by "Set".
1221
1108
1222
1109
The parameters, where they are supported, are the same as
1223
1110
dbus.service.method, except there is only "signature", since the
1224
1111
type from Get() and the type sent to Set() is the same.
1228
1115
if byte_arrays and signature != "ay":
1229
1116
raise ValueError("Byte arrays not supported for non-'ay'"
1230
1117
" signature {!r}".format(signature))
1231
1118
1232
1119
def decorator(func):
1233
1120
func._dbus_is_property = True
1234
1121
func._dbus_interface = dbus_interface
1237
1124
func._dbus_name = func.__name__
1238
1125
if func._dbus_name.endswith("_dbus_property"):
1239
1126
func._dbus_name = func._dbus_name[:-14]
1240
func._dbus_get_args_options = {"byte_arrays": byte_arrays}
1127
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1241
1128
return func
1242
1129
1243
1130
return decorator
1244
1131
1245
1132
1246
1133
def dbus_interface_annotations(dbus_interface):
1247
1134
"""Decorator for marking functions returning interface annotations
1248
1135
1249
1136
Usage:
1250
1137
1251
1138
@dbus_interface_annotations("org.example.Interface")
1252
1139
def _foo(self): # Function name does not matter
1253
1140
return {"org.freedesktop.DBus.Deprecated": "true",
1254
1141
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1255
1142
"false"}
1256
1143
"""
1257
1144
1258
1145
def decorator(func):
1259
1146
func._dbus_is_interface = True
1260
1147
func._dbus_interface = dbus_interface
1261
1148
func._dbus_name = dbus_interface
1262
1149
return func
1263
1150
1264
1151
return decorator
1265
1152
1266
1153
1267
1154
def dbus_annotations(annotations):
1268
1155
"""Decorator to annotate D-Bus methods, signals or properties
1269
1156
Usage:
1270
1157
1271
1158
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1272
1159
"org.freedesktop.DBus.Property."
1273
1160
"EmitsChangedSignal": "false"})
1275
1162
access="r")
1276
1163
def Property_dbus_property(self):
1277
1164
return dbus.Boolean(False)
1278
1165
1279
1166
See also the DBusObjectWithAnnotations class.
1280
1167
"""
1281
1168
1282
1169
def decorator(func):
1283
1170
func._dbus_annotations = annotations
1284
1171
return func
1285
1172
1286
1173
return decorator
1287
1174
1288
1175
1306
1193
1307
1194
class DBusObjectWithAnnotations(dbus.service.Object):
1308
1195
"""A D-Bus object with annotations.
1309
1196
1310
1197
Classes inheriting from this can use the dbus_annotations
1311
1198
decorator to add annotations to methods or signals.
1312
1199
"""
1313
1200
1314
1201
@staticmethod
1315
1202
def _is_dbus_thing(thing):
1316
1203
"""Returns a function testing if an attribute is a D-Bus thing
1317
1204
1318
1205
If called like _is_dbus_thing("method") it returns a function
1319
1206
suitable for use as predicate to inspect.getmembers().
1320
1207
"""
1321
1208
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1322
1209
False)
1323
1210
1324
1211
def _get_all_dbus_things(self, thing):
1325
1212
"""Returns a generator of (name, attribute) pairs
1326
1213
"""
1329
1216
for cls in self.__class__.__mro__
1330
1217
for name, athing in
1331
1218
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1332
1219
1333
1220
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1334
out_signature="s",
1335
path_keyword="object_path",
1336
connection_keyword="connection")
1221
out_signature = "s",
1222
path_keyword = 'object_path',
1223
connection_keyword = 'connection')
1337
1224
def Introspect(self, object_path, connection):
1338
1225
"""Overloading of standard D-Bus method.
1339
1226
1340
1227
Inserts annotation tags on methods and signals.
1341
1228
"""
1342
1229
xmlstring = dbus.service.Object.Introspect(self, object_path,
1343
1230
connection)
1344
1231
try:
1345
1232
document = xml.dom.minidom.parseString(xmlstring)
1346
1233
1347
1234
for if_tag in document.getElementsByTagName("interface"):
1348
1235
# Add annotation tags
1349
1236
for typ in ("method", "signal"):
1376
1263
if_tag.appendChild(ann_tag)
1377
1264
# Fix argument name for the Introspect method itself
1378
1265
if (if_tag.getAttribute("name")
1379
== dbus.INTROSPECTABLE_IFACE):
1266
== dbus.INTROSPECTABLE_IFACE):
1380
1267
for cn in if_tag.getElementsByTagName("method"):
1381
1268
if cn.getAttribute("name") == "Introspect":
1382
1269
for arg in cn.getElementsByTagName("arg"):
1388
1275
document.unlink()
1389
1276
except (AttributeError, xml.dom.DOMException,
1390
1277
xml.parsers.expat.ExpatError) as error:
1391
log.error("Failed to override Introspection method",
1392
exc_info=error)
1278
logger.error("Failed to override Introspection method",
1279
exc_info=error)
1393
1280
return xmlstring
1394
1281
1395
1282
1396
1283
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1397
1284
"""A D-Bus object with properties.
1398
1285
1399
1286
Classes inheriting from this can use the dbus_service_property
1400
1287
decorator to expose methods as D-Bus properties. It exposes the
1401
1288
standard Get(), Set(), and GetAll() methods on the D-Bus.
1402
1289
"""
1403
1290
1404
1291
def _get_dbus_property(self, interface_name, property_name):
1405
1292
"""Returns a bound method if one exists which is a D-Bus
1406
1293
property with the specified name and interface.
1411
1298
if (value._dbus_name == property_name
1412
1299
and value._dbus_interface == interface_name):
1413
1300
return value.__get__(self)
1414
1301
1415
1302
# No such property
1416
1303
raise DBusPropertyNotFound("{}:{}.{}".format(
1417
1304
self.dbus_object_path, interface_name, property_name))
1418
1305
1419
1306
@classmethod
1420
1307
def _get_all_interface_names(cls):
1421
1308
"""Get a sequence of all interfaces supported by an object"""
1424
1311
for x in (inspect.getmro(cls))
1425
1312
for attr in dir(x))
1426
1313
if name is not None)
1427
1314
1428
1315
@dbus.service.method(dbus.PROPERTIES_IFACE,
1429
1316
in_signature="ss",
1430
1317
out_signature="v")
1438
1325
if not hasattr(value, "variant_level"):
1439
1326
return value
1440
1327
return type(value)(value, variant_level=value.variant_level+1)
1441
1328
1442
1329
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1443
1330
def Set(self, interface_name, property_name, value):
1444
1331
"""Standard D-Bus property Set() method, see D-Bus standard.
1453
1340
raise ValueError("Byte arrays not supported for non-"
1454
1341
"'ay' signature {!r}"
1455
1342
.format(prop._dbus_signature))
1456
value = dbus.ByteArray(bytes(value))
1343
value = dbus.ByteArray(b''.join(chr(byte)
1344
for byte in value))
1457
1345
prop(value)
1458
1346
1459
1347
@dbus.service.method(dbus.PROPERTIES_IFACE,
1460
1348
in_signature="s",
1461
1349
out_signature="a{sv}")
1462
1350
def GetAll(self, interface_name):
1463
1351
"""Standard D-Bus property GetAll() method, see D-Bus
1464
1352
standard.
1465
1353
1466
1354
Note: Will not include properties with access="write".
1467
1355
"""
1468
1356
properties = {}
1479
1367
properties[name] = value
1480
1368
continue
1481
1369
properties[name] = type(value)(
1482
value, variant_level=value.variant_level + 1)
1370
value, variant_level = value.variant_level + 1)
1483
1371
return dbus.Dictionary(properties, signature="sv")
1484
1372
1485
1373
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1486
1374
def PropertiesChanged(self, interface_name, changed_properties,
1487
1375
invalidated_properties):
1489
1377
standard.
1490
1378
"""
1491
1379
pass
1492
1380
1493
1381
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1494
1382
out_signature="s",
1495
path_keyword="object_path",
1496
connection_keyword="connection")
1383
path_keyword='object_path',
1384
connection_keyword='connection')
1497
1385
def Introspect(self, object_path, connection):
1498
1386
"""Overloading of standard D-Bus method.
1499
1387
1500
1388
Inserts property tags and interface annotation tags.
1501
1389
"""
1502
1390
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1504
1392
connection)
1505
1393
try:
1506
1394
document = xml.dom.minidom.parseString(xmlstring)
1507
1395
1508
1396
def make_tag(document, name, prop):
1509
1397
e = document.createElement("property")
1510
1398
e.setAttribute("name", name)
1511
1399
e.setAttribute("type", prop._dbus_signature)
1512
1400
e.setAttribute("access", prop._dbus_access)
1513
1401
return e
1514
1402
1515
1403
for if_tag in document.getElementsByTagName("interface"):
1516
1404
# Add property tags
1517
1405
for tag in (make_tag(document, name, prop)
1555
1443
document.unlink()
1556
1444
except (AttributeError, xml.dom.DOMException,
1557
1445
xml.parsers.expat.ExpatError) as error:
1558
log.error("Failed to override Introspection method",
1559
exc_info=error)
1446
logger.error("Failed to override Introspection method",
1447
exc_info=error)
1560
1448
return xmlstring
1561
1449
1562
1563
1450
try:
1564
1451
dbus.OBJECT_MANAGER_IFACE
1565
1452
except AttributeError:
1566
1453
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1567
1454
1568
1569
1455
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1570
1456
"""A D-Bus object with an ObjectManager.
1571
1457
1572
1458
Classes inheriting from this exposes the standard
1573
1459
GetManagedObjects call and the InterfacesAdded and
1574
1460
InterfacesRemoved signals on the standard
1575
1461
"org.freedesktop.DBus.ObjectManager" interface.
1576
1462
1577
1463
Note: No signals are sent automatically; they must be sent
1578
1464
manually.
1579
1465
"""
1580
1466
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1581
out_signature="a{oa{sa{sv}}}")
1467
out_signature = "a{oa{sa{sv}}}")
1582
1468
def GetManagedObjects(self):
1583
1469
"""This function must be overridden"""
1584
1470
raise NotImplementedError()
1585
1471
1586
1472
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1587
signature="oa{sa{sv}}")
1473
signature = "oa{sa{sv}}")
1588
1474
def InterfacesAdded(self, object_path, interfaces_and_properties):
1589
1475
pass
1590
1591
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1476
1477
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1592
1478
def InterfacesRemoved(self, object_path, interfaces):
1593
1479
pass
1594
1480
1595
1481
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1596
out_signature="s",
1597
path_keyword="object_path",
1598
connection_keyword="connection")
1482
out_signature = "s",
1483
path_keyword = 'object_path',
1484
connection_keyword = 'connection')
1599
1485
def Introspect(self, object_path, connection):
1600
1486
"""Overloading of standard D-Bus method.
1601
1487
1602
1488
Override return argument name of GetManagedObjects to be
1603
1489
"objpath_interfaces_and_properties"
1604
1490
"""
1607
1493
connection)
1608
1494
try:
1609
1495
document = xml.dom.minidom.parseString(xmlstring)
1610
1496
1611
1497
for if_tag in document.getElementsByTagName("interface"):
1612
1498
# Fix argument name for the GetManagedObjects method
1613
1499
if (if_tag.getAttribute("name")
1614
== dbus.OBJECT_MANAGER_IFACE):
1500
== dbus.OBJECT_MANAGER_IFACE):
1615
1501
for cn in if_tag.getElementsByTagName("method"):
1616
1502
if (cn.getAttribute("name")
1617
1503
== "GetManagedObjects"):
1626
1512
document.unlink()
1627
1513
except (AttributeError, xml.dom.DOMException,
1628
1514
xml.parsers.expat.ExpatError) as error:
1629
log.error("Failed to override Introspection method",
1630
exc_info=error)
1515
logger.error("Failed to override Introspection method",
1516
exc_info = error)
1631
1517
return xmlstring
1632
1518
1633
1634
1519
def datetime_to_dbus(dt, variant_level=0):
1635
1520
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1636
1521
if dt is None:
1637
return dbus.String("", variant_level=variant_level)
1522
return dbus.String("", variant_level = variant_level)
1638
1523
return dbus.String(dt.isoformat(), variant_level=variant_level)
1639
1524
1640
1525
1643
1528
dbus.service.Object, it will add alternate D-Bus attributes with
1644
1529
interface names according to the "alt_interface_names" mapping.
1645
1530
Usage:
1646
1531
1647
1532
@alternate_dbus_interfaces({"org.example.Interface":
1648
1533
"net.example.AlternateInterface"})
1649
1534
class SampleDBusObject(dbus.service.Object):
1650
1535
@dbus.service.method("org.example.Interface")
1651
1536
def SampleDBusMethod():
1652
1537
pass
1653
1538
1654
1539
The above "SampleDBusMethod" on "SampleDBusObject" will be
1655
1540
reachable via two interfaces: "org.example.Interface" and
1656
1541
"net.example.AlternateInterface", the latter of which will have
1657
1542
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1658
1543
"true", unless "deprecate" is passed with a False value.
1659
1544
1660
1545
This works for methods and signals, and also for D-Bus properties
1661
1546
(from DBusObjectWithProperties) and interfaces (from the
1662
1547
dbus_interface_annotations decorator).
1663
1548
"""
1664
1549
1665
1550
def wrapper(cls):
1666
1551
for orig_interface_name, alt_interface_name in (
1667
1552
alt_interface_names.items()):
1707
1592
attribute._dbus_annotations)
1708
1593
except AttributeError:
1709
1594
pass
1710
1711
1595
# Define a creator of a function to call both the
1712
1596
# original and alternate functions, so both the
1713
1597
# original and alternate signals gets sent when
1716
1600
"""This function is a scope container to pass
1717
1601
func1 and func2 to the "call_both" function
1718
1602
outside of its arguments"""
1719
1603
1720
1604
@functools.wraps(func2)
1721
1605
def call_both(*args, **kwargs):
1722
1606
"""This function will emit two D-Bus
1723
1607
signals by calling func1 and func2"""
1724
1608
func1(*args, **kwargs)
1725
1609
func2(*args, **kwargs)
1726
# Make wrapper function look like a D-Bus
1727
# signal
1610
# Make wrapper function look like a D-Bus signal
1728
1611
for name, attr in inspect.getmembers(func2):
1729
1612
if name.startswith("_dbus_"):
1730
1613
setattr(call_both, name, attr)
1731
1614
1732
1615
return call_both
1733
1616
# Create the "call_both" function and add it to
1734
1617
# the class
1780
1663
(copy_function(attribute)))
1781
1664
if deprecate:
1782
1665
# Deprecate all alternate interfaces
1783
iname = "_AlternateDBusNames_interface_annotation{}"
1666
iname="_AlternateDBusNames_interface_annotation{}"
1784
1667
for interface_name in interface_names:
1785
1668
1786
1669
@dbus_interface_annotations(interface_name)
1787
1670
def func(self):
1788
return {"org.freedesktop.DBus.Deprecated":
1789
"true"}
1671
return { "org.freedesktop.DBus.Deprecated":
1672
"true" }
1790
1673
# Find an unused name
1791
1674
for aname in (iname.format(i)
1792
1675
for i in itertools.count()):
1803
1686
cls = type("{}Alternate".format(cls.__name__),
1804
1687
(cls, ), attr)
1805
1688
return cls
1806
1689
1807
1690
return wrapper
1808
1691
1809
1692
1811
1694
"se.bsnet.fukt.Mandos"})
1812
1695
class ClientDBus(Client, DBusObjectWithProperties):
1813
1696
"""A Client class using D-Bus
1814
1697
1815
1698
Attributes:
1816
1699
dbus_object_path: dbus.ObjectPath
1817
1700
bus: dbus.SystemBus()
1818
1701
"""
1819
1702
1820
1703
runtime_expansions = (Client.runtime_expansions
1821
1704
+ ("dbus_object_path", ))
1822
1705
1823
1706
_interface = "se.recompile.Mandos.Client"
1824
1707
1825
1708
# dbus.service.Object doesn't use super(), so we can't either.
1826
1827
def __init__(self, bus=None, *args, **kwargs):
1709
1710
def __init__(self, bus = None, *args, **kwargs):
1828
1711
self.bus = bus
1829
1712
Client.__init__(self, *args, **kwargs)
1830
1713
# Only now, when this client is initialized, can it show up on
1836
1719
"/clients/" + client_object_name)
1837
1720
DBusObjectWithProperties.__init__(self, self.bus,
1838
1721
self.dbus_object_path)
1839
1722
1840
1723
def notifychangeproperty(transform_func, dbus_name,
1841
1724
type_func=lambda x: x,
1842
1725
variant_level=1,
1844
1727
_interface=_interface):
1845
1728
""" Modify a variable so that it's a property which announces
1846
1729
its changes to DBus.
1847
1730
1848
1731
transform_fun: Function that takes a value and a variant_level
1849
1732
and transforms it to a D-Bus type.
1850
1733
dbus_name: D-Bus name of the variable
1853
1736
variant_level: D-Bus variant level. Default: 1
1854
1737
"""
1855
1738
attrname = "_{}".format(dbus_name)
1856
1739
1857
1740
def setter(self, value):
1858
1741
if hasattr(self, "dbus_object_path"):
1859
1742
if (not hasattr(self, attrname) or
1866
1749
else:
1867
1750
dbus_value = transform_func(
1868
1751
type_func(value),
1869
variant_level=variant_level)
1752
variant_level = variant_level)
1870
1753
self.PropertyChanged(dbus.String(dbus_name),
1871
1754
dbus_value)
1872
1755
self.PropertiesChanged(
1873
1756
_interface,
1874
dbus.Dictionary({dbus.String(dbus_name):
1875
dbus_value}),
1757
dbus.Dictionary({ dbus.String(dbus_name):
1758
dbus_value }),
1876
1759
dbus.Array())
1877
1760
setattr(self, attrname, value)
1878
1761
1879
1762
return property(lambda self: getattr(self, attrname), setter)
1880
1763
1881
1764
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1882
1765
approvals_pending = notifychangeproperty(dbus.Boolean,
1883
1766
"ApprovalPending",
1884
type_func=bool)
1767
type_func = bool)
1885
1768
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1886
1769
last_enabled = notifychangeproperty(datetime_to_dbus,
1887
1770
"LastEnabled")
1888
1771
checker = notifychangeproperty(
1889
1772
dbus.Boolean, "CheckerRunning",
1890
type_func=lambda checker: checker is not None)
1773
type_func = lambda checker: checker is not None)
1891
1774
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1892
1775
"LastCheckedOK")
1893
1776
last_checker_status = notifychangeproperty(dbus.Int16,
1898
1781
"ApprovedByDefault")
1899
1782
approval_delay = notifychangeproperty(
1900
1783
dbus.UInt64, "ApprovalDelay",
1901
type_func=lambda td: td.total_seconds() * 1000)
1784
type_func = lambda td: td.total_seconds() * 1000)
1902
1785
approval_duration = notifychangeproperty(
1903
1786
dbus.UInt64, "ApprovalDuration",
1904
type_func=lambda td: td.total_seconds() * 1000)
1787
type_func = lambda td: td.total_seconds() * 1000)
1905
1788
host = notifychangeproperty(dbus.String, "Host")
1906
1789
timeout = notifychangeproperty(
1907
1790
dbus.UInt64, "Timeout",
1908
type_func=lambda td: td.total_seconds() * 1000)
1791
type_func = lambda td: td.total_seconds() * 1000)
1909
1792
extended_timeout = notifychangeproperty(
1910
1793
dbus.UInt64, "ExtendedTimeout",
1911
type_func=lambda td: td.total_seconds() * 1000)
1794
type_func = lambda td: td.total_seconds() * 1000)
1912
1795
interval = notifychangeproperty(
1913
1796
dbus.UInt64, "Interval",
1914
type_func=lambda td: td.total_seconds() * 1000)
1797
type_func = lambda td: td.total_seconds() * 1000)
1915
1798
checker_command = notifychangeproperty(dbus.String, "Checker")
1916
1799
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1917
1800
invalidate_only=True)
1918
1801
1919
1802
del notifychangeproperty
1920
1803
1921
1804
def __del__(self, *args, **kwargs):
1922
1805
try:
1923
1806
self.remove_from_connection()
1926
1809
if hasattr(DBusObjectWithProperties, "__del__"):
1927
1810
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1928
1811
Client.__del__(self, *args, **kwargs)
1929
1812
1930
1813
def checker_callback(self, source, condition,
1931
1814
connection, command, *args, **kwargs):
1932
1815
ret = Client.checker_callback(self, source, condition,
1948
1831
| self.last_checker_signal),
1949
1832
dbus.String(command))
1950
1833
return ret
1951
1834
1952
1835
def start_checker(self, *args, **kwargs):
1953
1836
old_checker_pid = getattr(self.checker, "pid", None)
1954
1837
r = Client.start_checker(self, *args, **kwargs)
1958
1841
# Emit D-Bus signal
1959
1842
self.CheckerStarted(self.current_checker_command)
1960
1843
return r
1961
1844
1962
1845
def _reset_approved(self):
1963
1846
self.approved = None
1964
1847
return False
1965
1848
1966
1849
def approve(self, value=True):
1967
1850
self.approved = value
1968
1851
GLib.timeout_add(int(self.approval_duration.total_seconds()
1969
1852
* 1000), self._reset_approved)
1970
1853
self.send_changedstate()
1971
1972
# D-Bus methods, signals & properties
1973
1974
# Interfaces
1975
1976
# Signals
1977
1854
1855
## D-Bus methods, signals & properties
1856
1857
## Interfaces
1858
1859
## Signals
1860
1978
1861
# CheckerCompleted - signal
1979
1862
@dbus.service.signal(_interface, signature="nxs")
1980
1863
def CheckerCompleted(self, exitcode, waitstatus, command):
1981
1864
"D-Bus signal"
1982
1865
pass
1983
1866
1984
1867
# CheckerStarted - signal
1985
1868
@dbus.service.signal(_interface, signature="s")
1986
1869
def CheckerStarted(self, command):
1987
1870
"D-Bus signal"
1988
1871
pass
1989
1872
1990
1873
# PropertyChanged - signal
1991
1874
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1992
1875
@dbus.service.signal(_interface, signature="sv")
1993
1876
def PropertyChanged(self, property, value):
1994
1877
"D-Bus signal"
1995
1878
pass
1996
1879
1997
1880
# GotSecret - signal
1998
1881
@dbus.service.signal(_interface)
1999
1882
def GotSecret(self):
2002
1885
server to mandos-client
2003
1886
"""
2004
1887
pass
2005
1888
2006
1889
# Rejected - signal
2007
1890
@dbus.service.signal(_interface, signature="s")
2008
1891
def Rejected(self, reason):
2009
1892
"D-Bus signal"
2010
1893
pass
2011
1894
2012
1895
# NeedApproval - signal
2013
1896
@dbus.service.signal(_interface, signature="tb")
2014
1897
def NeedApproval(self, timeout, default):
2015
1898
"D-Bus signal"
2016
1899
return self.need_approval()
2017
2018
# Methods
2019
1900
1901
## Methods
1902
2020
1903
# Approve - method
2021
1904
@dbus.service.method(_interface, in_signature="b")
2022
1905
def Approve(self, value):
2023
1906
self.approve(value)
2024
1907
2025
1908
# CheckedOK - method
2026
1909
@dbus.service.method(_interface)
2027
1910
def CheckedOK(self):
2028
1911
self.checked_ok()
2029
1912
2030
1913
# Enable - method
2031
1914
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2032
1915
@dbus.service.method(_interface)
2033
1916
def Enable(self):
2034
1917
"D-Bus method"
2035
1918
self.enable()
2036
1919
2037
1920
# StartChecker - method
2038
1921
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2039
1922
@dbus.service.method(_interface)
2040
1923
def StartChecker(self):
2041
1924
"D-Bus method"
2042
1925
self.start_checker()
2043
1926
2044
1927
# Disable - method
2045
1928
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2046
1929
@dbus.service.method(_interface)
2047
1930
def Disable(self):
2048
1931
"D-Bus method"
2049
1932
self.disable()
2050
1933
2051
1934
# StopChecker - method
2052
1935
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2053
1936
@dbus.service.method(_interface)
2054
1937
def StopChecker(self):
2055
1938
self.stop_checker()
2056
2057
# Properties
2058
1939
1940
## Properties
1941
2059
1942
# ApprovalPending - property
2060
1943
@dbus_service_property(_interface, signature="b", access="read")
2061
1944
def ApprovalPending_dbus_property(self):
2062
1945
return dbus.Boolean(bool(self.approvals_pending))
2063
1946
2064
1947
# ApprovedByDefault - property
2065
1948
@dbus_service_property(_interface,
2066
1949
signature="b",
2069
1952
if value is None: # get
2070
1953
return dbus.Boolean(self.approved_by_default)
2071
1954
self.approved_by_default = bool(value)
2072
1955
2073
1956
# ApprovalDelay - property
2074
1957
@dbus_service_property(_interface,
2075
1958
signature="t",
2079
1962
return dbus.UInt64(self.approval_delay.total_seconds()
2080
1963
* 1000)
2081
1964
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2082
1965
2083
1966
# ApprovalDuration - property
2084
1967
@dbus_service_property(_interface,
2085
1968
signature="t",
2089
1972
return dbus.UInt64(self.approval_duration.total_seconds()
2090
1973
* 1000)
2091
1974
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2092
1975
2093
1976
# Name - property
2094
1977
@dbus_annotations(
2095
1978
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2096
1979
@dbus_service_property(_interface, signature="s", access="read")
2097
1980
def Name_dbus_property(self):
2098
1981
return dbus.String(self.name)
2099
2100
# KeyID - property
2101
@dbus_annotations(
2102
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2103
@dbus_service_property(_interface, signature="s", access="read")
2104
def KeyID_dbus_property(self):
2105
return dbus.String(self.key_id)
2106
1982
2107
1983
# Fingerprint - property
2108
1984
@dbus_annotations(
2109
1985
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2110
1986
@dbus_service_property(_interface, signature="s", access="read")
2111
1987
def Fingerprint_dbus_property(self):
2112
1988
return dbus.String(self.fingerprint)
2113
1989
2114
1990
# Host - property
2115
1991
@dbus_service_property(_interface,
2116
1992
signature="s",
2119
1995
if value is None: # get
2120
1996
return dbus.String(self.host)
2121
1997
self.host = str(value)
2122
1998
2123
1999
# Created - property
2124
2000
@dbus_annotations(
2125
2001
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2126
2002
@dbus_service_property(_interface, signature="s", access="read")
2127
2003
def Created_dbus_property(self):
2128
2004
return datetime_to_dbus(self.created)
2129
2005
2130
2006
# LastEnabled - property
2131
2007
@dbus_service_property(_interface, signature="s", access="read")
2132
2008
def LastEnabled_dbus_property(self):
2133
2009
return datetime_to_dbus(self.last_enabled)
2134
2010
2135
2011
# Enabled - property
2136
2012
@dbus_service_property(_interface,
2137
2013
signature="b",
2143
2019
self.enable()
2144
2020
else:
2145
2021
self.disable()
2146
2022
2147
2023
# LastCheckedOK - property
2148
2024
@dbus_service_property(_interface,
2149
2025
signature="s",
2153
2029
self.checked_ok()
2154
2030
return
2155
2031
return datetime_to_dbus(self.last_checked_ok)
2156
2032
2157
2033
# LastCheckerStatus - property
2158
2034
@dbus_service_property(_interface, signature="n", access="read")
2159
2035
def LastCheckerStatus_dbus_property(self):
2160
2036
return dbus.Int16(self.last_checker_status)
2161
2037
2162
2038
# Expires - property
2163
2039
@dbus_service_property(_interface, signature="s", access="read")
2164
2040
def Expires_dbus_property(self):
2165
2041
return datetime_to_dbus(self.expires)
2166
2042
2167
2043
# LastApprovalRequest - property
2168
2044
@dbus_service_property(_interface, signature="s", access="read")
2169
2045
def LastApprovalRequest_dbus_property(self):
2170
2046
return datetime_to_dbus(self.last_approval_request)
2171
2047
2172
2048
# Timeout - property
2173
2049
@dbus_service_property(_interface,
2174
2050
signature="t",
2193
2069
self.disable_initiator_tag = GLib.timeout_add(
2194
2070
int((self.expires - now).total_seconds() * 1000),
2195
2071
self.disable)
2196
2072
2197
2073
# ExtendedTimeout - property
2198
2074
@dbus_service_property(_interface,
2199
2075
signature="t",
2203
2079
return dbus.UInt64(self.extended_timeout.total_seconds()
2204
2080
* 1000)
2205
2081
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2206
2082
2207
2083
# Interval - property
2208
2084
@dbus_service_property(_interface,
2209
2085
signature="t",
2219
2095
GLib.source_remove(self.checker_initiator_tag)
2220
2096
self.checker_initiator_tag = GLib.timeout_add(
2221
2097
value, self.start_checker)
2222
self.start_checker() # Start one now, too
2223
2098
self.start_checker() # Start one now, too
2099
2224
2100
# Checker - property
2225
2101
@dbus_service_property(_interface,
2226
2102
signature="s",
2229
2105
if value is None: # get
2230
2106
return dbus.String(self.checker_command)
2231
2107
self.checker_command = str(value)
2232
2108
2233
2109
# CheckerRunning - property
2234
2110
@dbus_service_property(_interface,
2235
2111
signature="b",
2241
2117
self.start_checker()
2242
2118
else:
2243
2119
self.stop_checker()
2244
2120
2245
2121
# ObjectPath - property
2246
2122
@dbus_annotations(
2247
2123
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2248
2124
"org.freedesktop.DBus.Deprecated": "true"})
2249
2125
@dbus_service_property(_interface, signature="o", access="read")
2250
2126
def ObjectPath_dbus_property(self):
2251
return self.dbus_object_path # is already a dbus.ObjectPath
2252
2127
return self.dbus_object_path # is already a dbus.ObjectPath
2128
2253
2129
# Secret = property
2254
2130
@dbus_annotations(
2255
2131
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2260
2136
byte_arrays=True)
2261
2137
def Secret_dbus_property(self, value):
2262
2138
self.secret = bytes(value)
2263
2139
2264
2140
del _interface
2265
2141
2266
2142
2267
class ProxyClient:
2268
def __init__(self, child_pipe, key_id, fpr, address):
2143
class ProxyClient(object):
2144
def __init__(self, child_pipe, fpr, address):
2269
2145
self._pipe = child_pipe
2270
self._pipe.send(("init", key_id, fpr, address))
2146
self._pipe.send(('init', fpr, address))
2271
2147
if not self._pipe.recv():
2272
raise KeyError(key_id or fpr)
2273
2148
raise KeyError(fpr)
2149
2274
2150
def __getattribute__(self, name):
2275
if name == "_pipe":
2151
if name == '_pipe':
2276
2152
return super(ProxyClient, self).__getattribute__(name)
2277
self._pipe.send(("getattr", name))
2153
self._pipe.send(('getattr', name))
2278
2154
data = self._pipe.recv()
2279
if data[0] == "data":
2155
if data[0] == 'data':
2280
2156
return data[1]
2281
if data[0] == "function":
2282
2157
if data[0] == 'function':
2158
2283
2159
def func(*args, **kwargs):
2284
self._pipe.send(("funcall", name, args, kwargs))
2160
self._pipe.send(('funcall', name, args, kwargs))
2285
2161
return self._pipe.recv()[1]
2286
2162
2287
2163
return func
2288
2164
2289
2165
def __setattr__(self, name, value):
2290
if name == "_pipe":
2166
if name == '_pipe':
2291
2167
return super(ProxyClient, self).__setattr__(name, value)
2292
self._pipe.send(("setattr", name, value))
2168
self._pipe.send(('setattr', name, value))
2293
2169
2294
2170
2295
2171
class ClientHandler(socketserver.BaseRequestHandler, object):
2296
2172
"""A class to handle client connections.
2297
2173
2298
2174
Instantiated once for each connection to handle it.
2299
2175
Note: This will run in its own forked process."""
2300
2176
2301
2177
def handle(self):
2302
2178
with contextlib.closing(self.server.child_pipe) as child_pipe:
2303
log.info("TCP connection from: %s",
2304
str(self.client_address))
2305
log.debug("Pipe FD: %d", self.server.child_pipe.fileno())
2306
2179
logger.info("TCP connection from: %s",
2180
str(self.client_address))
2181
logger.debug("Pipe FD: %d",
2182
self.server.child_pipe.fileno())
2183
2307
2184
session = gnutls.ClientSession(self.request)
2308
2309
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2310
# "+AES-256-CBC", "+SHA1",
2311
# "+COMP-NULL", "+CTYPE-OPENPGP",
2312
# "+DHE-DSS"))
2185
2186
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2187
# "+AES-256-CBC", "+SHA1",
2188
# "+COMP-NULL", "+CTYPE-OPENPGP",
2189
# "+DHE-DSS"))
2313
2190
# Use a fallback default, since this MUST be set.
2314
2191
priority = self.server.gnutls_priority
2315
2192
if priority is None:
2316
2193
priority = "NORMAL"
2317
gnutls.priority_set_direct(session,
2318
priority.encode("utf-8"), None)
2319
2194
gnutls.priority_set_direct(session._c_object,
2195
priority.encode("utf-8"),
2196
None)
2197
2320
2198
# Start communication using the Mandos protocol
2321
2199
# Get protocol number
2322
2200
line = self.request.makefile().readline()
2323
log.debug("Protocol version: %r", line)
2201
logger.debug("Protocol version: %r", line)
2324
2202
try:
2325
2203
if int(line.strip().split()[0]) > 1:
2326
2204
raise RuntimeError(line)
2327
2205
except (ValueError, IndexError, RuntimeError) as error:
2328
log.error("Unknown protocol version: %s", error)
2206
logger.error("Unknown protocol version: %s", error)
2329
2207
return
2330
2208
2331
2209
# Start GnuTLS connection
2332
2210
try:
2333
2211
session.handshake()
2334
2212
except gnutls.Error as error:
2335
log.warning("Handshake failed: %s", error)
2213
logger.warning("Handshake failed: %s", error)
2336
2214
# Do not run session.bye() here: the session is not
2337
2215
# established. Just abandon the request.
2338
2216
return
2339
log.debug("Handshake succeeded")
2340
2217
logger.debug("Handshake succeeded")
2218
2341
2219
approval_required = False
2342
2220
try:
2343
if gnutls.has_rawpk:
2344
fpr = b""
2345
try:
2346
key_id = self.key_id(
2347
self.peer_certificate(session))
2348
except (TypeError, gnutls.Error) as error:
2349
log.warning("Bad certificate: %s", error)
2350
return
2351
log.debug("Key ID: %s",
2352
key_id.decode("utf-8",
2353
errors="replace"))
2354
2355
else:
2356
key_id = b""
2357
try:
2358
fpr = self.fingerprint(
2359
self.peer_certificate(session))
2360
except (TypeError, gnutls.Error) as error:
2361
log.warning("Bad certificate: %s", error)
2362
return
2363
log.debug("Fingerprint: %s", fpr)
2364
2365
try:
2366
client = ProxyClient(child_pipe, key_id, fpr,
2221
try:
2222
fpr = self.fingerprint(
2223
self.peer_certificate(session))
2224
except (TypeError, gnutls.Error) as error:
2225
logger.warning("Bad certificate: %s", error)
2226
return
2227
logger.debug("Fingerprint: %s", fpr)
2228
2229
try:
2230
client = ProxyClient(child_pipe, fpr,
2367
2231
self.client_address)
2368
2232
except KeyError:
2369
2233
return
2370
2234
2371
2235
if client.approval_delay:
2372
2236
delay = client.approval_delay
2373
2237
client.approvals_pending += 1
2374
2238
approval_required = True
2375
2239
2376
2240
while True:
2377
2241
if not client.enabled:
2378
log.info("Client %s is disabled", client.name)
2242
logger.info("Client %s is disabled",
2243
client.name)
2379
2244
if self.server.use_dbus:
2380
2245
# Emit D-Bus signal
2381
2246
client.Rejected("Disabled")
2382
2247
return
2383
2248
2384
2249
if client.approved or not client.approval_delay:
2385
# We are approved or approval is disabled
2250
#We are approved or approval is disabled
2386
2251
break
2387
2252
elif client.approved is None:
2388
log.info("Client %s needs approval",
2389
client.name)
2253
logger.info("Client %s needs approval",
2254
client.name)
2390
2255
if self.server.use_dbus:
2391
2256
# Emit D-Bus signal
2392
2257
client.NeedApproval(
2393
2258
client.approval_delay.total_seconds()
2394
2259
* 1000, client.approved_by_default)
2395
2260
else:
2396
log.warning("Client %s was not approved",
2397
client.name)
2261
logger.warning("Client %s was not approved",
2262
client.name)
2398
2263
if self.server.use_dbus:
2399
2264
# Emit D-Bus signal
2400
2265
client.Rejected("Denied")
2401
2266
return
2402
2403
# wait until timeout or approved
2267
2268
#wait until timeout or approved
2404
2269
time = datetime.datetime.now()
2405
2270
client.changedstate.acquire()
2406
2271
client.changedstate.wait(delay.total_seconds())
2408
2273
time2 = datetime.datetime.now()
2409
2274
if (time2 - time) >= delay:
2410
2275
if not client.approved_by_default:
2411
log.warning("Client %s timed out while"
2412
" waiting for approval",
2413
client.name)
2276
logger.warning("Client %s timed out while"
2277
" waiting for approval",
2278
client.name)
2414
2279
if self.server.use_dbus:
2415
2280
# Emit D-Bus signal
2416
2281
client.Rejected("Approval timed out")
2419
2284
break
2420
2285
else:
2421
2286
delay -= time2 - time
2422
2287
2423
2288
try:
2424
2289
session.send(client.secret)
2425
2290
except gnutls.Error as error:
2426
log.warning("gnutls send failed", exc_info=error)
2291
logger.warning("gnutls send failed",
2292
exc_info = error)
2427
2293
return
2428
2429
log.info("Sending secret to %s", client.name)
2294
2295
logger.info("Sending secret to %s", client.name)
2430
2296
# bump the timeout using extended_timeout
2431
2297
client.bump_timeout(client.extended_timeout)
2432
2298
if self.server.use_dbus:
2433
2299
# Emit D-Bus signal
2434
2300
client.GotSecret()
2435
2301
2436
2302
finally:
2437
2303
if approval_required:
2438
2304
client.approvals_pending -= 1
2439
2305
try:
2440
2306
session.bye()
2441
2307
except gnutls.Error as error:
2442
log.warning("GnuTLS bye failed", exc_info=error)
2443
2308
logger.warning("GnuTLS bye failed",
2309
exc_info=error)
2310
2444
2311
@staticmethod
2445
2312
def peer_certificate(session):
2446
"Return the peer's certificate as a bytestring"
2447
try:
2448
cert_type = gnutls.certificate_type_get2(
2449
session, gnutls.CTYPE_PEERS)
2450
except AttributeError:
2451
cert_type = gnutls.certificate_type_get(session)
2452
if gnutls.has_rawpk:
2453
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2454
else:
2455
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2456
# If not a valid certificate type...
2457
if cert_type not in valid_cert_types:
2458
log.info("Cert type %r not in %r", cert_type,
2459
valid_cert_types)
2313
"Return the peer's OpenPGP certificate as a bytestring"
2314
# If not an OpenPGP certificate...
2315
if (gnutls.certificate_type_get(session._c_object)
2316
!= gnutls.CRT_OPENPGP):
2460
2317
# ...return invalid data
2461
2318
return b""
2462
2319
list_size = ctypes.c_uint(1)
2463
2320
cert_list = (gnutls.certificate_get_peers
2464
(session, ctypes.byref(list_size)))
2321
(session._c_object, ctypes.byref(list_size)))
2465
2322
if not bool(cert_list) and list_size.value != 0:
2466
2323
raise gnutls.Error("error getting peer certificate")
2467
2324
if list_size.value == 0:
2468
2325
return None
2469
2326
cert = cert_list[0]
2470
2327
return ctypes.string_at(cert.data, cert.size)
2471
2472
@staticmethod
2473
def key_id(certificate):
2474
"Convert a certificate bytestring to a hexdigit key ID"
2475
# New GnuTLS "datum" with the public key
2476
datum = gnutls.datum_t(
2477
ctypes.cast(ctypes.c_char_p(certificate),
2478
ctypes.POINTER(ctypes.c_ubyte)),
2479
ctypes.c_uint(len(certificate)))
2480
# XXX all these need to be created in the gnutls "module"
2481
# New empty GnuTLS certificate
2482
pubkey = gnutls.pubkey_t()
2483
gnutls.pubkey_init(ctypes.byref(pubkey))
2484
# Import the raw public key into the certificate
2485
gnutls.pubkey_import(pubkey,
2486
ctypes.byref(datum),
2487
gnutls.X509_FMT_DER)
2488
# New buffer for the key ID
2489
buf = ctypes.create_string_buffer(32)
2490
buf_len = ctypes.c_size_t(len(buf))
2491
# Get the key ID from the raw public key into the buffer
2492
gnutls.pubkey_get_key_id(
2493
pubkey,
2494
gnutls.KEYID_USE_SHA256,
2495
ctypes.cast(ctypes.byref(buf),
2496
ctypes.POINTER(ctypes.c_ubyte)),
2497
ctypes.byref(buf_len))
2498
# Deinit the certificate
2499
gnutls.pubkey_deinit(pubkey)
2500
2501
# Convert the buffer to a Python bytestring
2502
key_id = ctypes.string_at(buf, buf_len.value)
2503
# Convert the bytestring to hexadecimal notation
2504
hex_key_id = binascii.hexlify(key_id).upper()
2505
return hex_key_id
2506
2328
2507
2329
@staticmethod
2508
2330
def fingerprint(openpgp):
2509
2331
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2524
2346
ctypes.byref(crtverify))
2525
2347
if crtverify.value != 0:
2526
2348
gnutls.openpgp_crt_deinit(crt)
2527
raise gnutls.CertificateSecurityError(code
2528
=crtverify.value)
2349
raise gnutls.CertificateSecurityError("Verify failed")
2529
2350
# New buffer for the fingerprint
2530
2351
buf = ctypes.create_string_buffer(20)
2531
2352
buf_len = ctypes.c_size_t()
2541
2362
return hex_fpr
2542
2363
2543
2364
2544
class MultiprocessingMixIn:
2365
class MultiprocessingMixIn(object):
2545
2366
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2546
2367
2547
2368
def sub_process_main(self, request, address):
2548
2369
try:
2549
2370
self.finish_request(request, address)
2550
2371
except Exception:
2551
2372
self.handle_error(request, address)
2552
2373
self.close_request(request)
2553
2374
2554
2375
def process_request(self, request, address):
2555
2376
"""Start a new process to process the request."""
2556
proc = multiprocessing.Process(target=self.sub_process_main,
2557
args=(request, address))
2377
proc = multiprocessing.Process(target = self.sub_process_main,
2378
args = (request, address))
2558
2379
proc.start()
2559
2380
return proc
2560
2381
2561
2382
2562
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2383
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2563
2384
""" adds a pipe to the MixIn """
2564
2385
2565
2386
def process_request(self, request, client_address):
2566
2387
"""Overrides and wraps the original process_request().
2567
2388
2568
2389
This function creates a new pipe in self.pipe
2569
2390
"""
2570
2391
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2571
2392
2572
2393
proc = MultiprocessingMixIn.process_request(self, request,
2573
2394
client_address)
2574
2395
self.child_pipe.close()
2575
2396
self.add_pipe(parent_pipe, proc)
2576
2397
2577
2398
def add_pipe(self, parent_pipe, proc):
2578
2399
"""Dummy function; override as necessary"""
2579
2400
raise NotImplementedError()
2580
2401
2581
2402
2582
2403
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2583
socketserver.TCPServer):
2584
"""IPv6-capable TCP server. Accepts None as address and/or port
2585
2404
socketserver.TCPServer, object):
2405
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2406
2586
2407
Attributes:
2587
2408
enabled: Boolean; whether this server is activated yet
2588
2409
interface: None or a network interface name (string)
2589
2410
use_ipv6: Boolean; to use IPv6 or not
2590
2411
"""
2591
2412
2592
2413
def __init__(self, server_address, RequestHandlerClass,
2593
2414
interface=None,
2594
2415
use_ipv6=True,
2604
2425
self.socketfd = socketfd
2605
2426
# Save the original socket.socket() function
2606
2427
self.socket_socket = socket.socket
2607
2608
2428
# To implement --socket, we monkey patch socket.socket.
2609
#
2429
#
2610
2430
# (When socketserver.TCPServer is a new-style class, we
2611
2431
# could make self.socket into a property instead of monkey
2612
2432
# patching socket.socket.)
2613
#
2433
#
2614
2434
# Create a one-time-only replacement for socket.socket()
2615
2435
@functools.wraps(socket.socket)
2616
2436
def socket_wrapper(*args, **kwargs):
2628
2448
# socket_wrapper(), if socketfd was set.
2629
2449
socketserver.TCPServer.__init__(self, server_address,
2630
2450
RequestHandlerClass)
2631
2451
2632
2452
def server_bind(self):
2633
2453
"""This overrides the normal server_bind() function
2634
2454
to bind to an interface if one was specified, and also NOT to
2638
2458
if SO_BINDTODEVICE is None:
2639
2459
# Fall back to a hard-coded value which seems to be
2640
2460
# common enough.
2641
log.warning("SO_BINDTODEVICE not found, trying 25")
2461
logger.warning("SO_BINDTODEVICE not found, trying 25")
2642
2462
SO_BINDTODEVICE = 25
2643
2463
try:
2644
2464
self.socket.setsockopt(
2646
2466
(self.interface + "\0").encode("utf-8"))
2647
2467
except socket.error as error:
2648
2468
if error.errno == errno.EPERM:
2649
log.error("No permission to bind to interface %s",
2650
self.interface)
2469
logger.error("No permission to bind to"
2470
" interface %s", self.interface)
2651
2471
elif error.errno == errno.ENOPROTOOPT:
2652
log.error("SO_BINDTODEVICE not available; cannot"
2653
" bind to interface %s", self.interface)
2472
logger.error("SO_BINDTODEVICE not available;"
2473
" cannot bind to interface %s",
2474
self.interface)
2654
2475
elif error.errno == errno.ENODEV:
2655
log.error("Interface %s does not exist, cannot"
2656
" bind", self.interface)
2476
logger.error("Interface %s does not exist,"
2477
" cannot bind", self.interface)
2657
2478
else:
2658
2479
raise
2659
2480
# Only bind(2) the socket if we really need to.
2660
2481
if self.server_address[0] or self.server_address[1]:
2661
if self.server_address[1]:
2662
self.allow_reuse_address = True
2663
2482
if not self.server_address[0]:
2664
2483
if self.address_family == socket.AF_INET6:
2665
any_address = "::" # in6addr_any
2484
any_address = "::" # in6addr_any
2666
2485
else:
2667
any_address = "0.0.0.0" # INADDR_ANY
2486
any_address = "0.0.0.0" # INADDR_ANY
2668
2487
self.server_address = (any_address,
2669
2488
self.server_address[1])
2670
2489
elif not self.server_address[1]:
2680
2499
2681
2500
class MandosServer(IPv6_TCPServer):
2682
2501
"""Mandos server.
2683
2502
2684
2503
Attributes:
2685
2504
clients: set of Client objects
2686
2505
gnutls_priority GnuTLS priority string
2687
2506
use_dbus: Boolean; to emit D-Bus signals or not
2688
2507
2689
2508
Assumes a GLib.MainLoop event loop.
2690
2509
"""
2691
2510
2692
2511
def __init__(self, server_address, RequestHandlerClass,
2693
2512
interface=None,
2694
2513
use_ipv6=True,
2704
2523
self.gnutls_priority = gnutls_priority
2705
2524
IPv6_TCPServer.__init__(self, server_address,
2706
2525
RequestHandlerClass,
2707
interface=interface,
2708
use_ipv6=use_ipv6,
2709
socketfd=socketfd)
2710
2526
interface = interface,
2527
use_ipv6 = use_ipv6,
2528
socketfd = socketfd)
2529
2711
2530
def server_activate(self):
2712
2531
if self.enabled:
2713
2532
return socketserver.TCPServer.server_activate(self)
2714
2533
2715
2534
def enable(self):
2716
2535
self.enabled = True
2717
2536
2718
2537
def add_pipe(self, parent_pipe, proc):
2719
2538
# Call "handle_ipc" for both data and EOF events
2720
2539
GLib.io_add_watch(
2721
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2722
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2540
parent_pipe.fileno(),
2541
GLib.IO_IN | GLib.IO_HUP,
2723
2542
functools.partial(self.handle_ipc,
2724
parent_pipe=parent_pipe,
2725
proc=proc))
2726
2543
parent_pipe = parent_pipe,
2544
proc = proc))
2545
2727
2546
def handle_ipc(self, source, condition,
2728
2547
parent_pipe=None,
2729
proc=None,
2548
proc = None,
2730
2549
client_object=None):
2731
2550
# error, or the other end of multiprocessing.Pipe has closed
2732
2551
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2733
2552
# Wait for other process to exit
2734
2553
proc.join()
2735
2554
return False
2736
2555
2737
2556
# Read a request from the child
2738
2557
request = parent_pipe.recv()
2739
2558
command = request[0]
2740
2741
if command == "init":
2742
key_id = request[1].decode("ascii")
2743
fpr = request[2].decode("ascii")
2744
address = request[3]
2745
2559
2560
if command == 'init':
2561
fpr = request[1]
2562
address = request[2]
2563
2746
2564
for c in self.clients.values():
2747
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2748
"27AE41E4649B934CA495991B7852B855"):
2749
continue
2750
if key_id and c.key_id == key_id:
2751
client = c
2752
break
2753
if fpr and c.fingerprint == fpr:
2565
if c.fingerprint == fpr:
2754
2566
client = c
2755
2567
break
2756
2568
else:
2757
log.info("Client not found for key ID: %s, address:"
2758
" %s", key_id or fpr, address)
2569
logger.info("Client not found for fingerprint: %s, ad"
2570
"dress: %s", fpr, address)
2759
2571
if self.use_dbus:
2760
2572
# Emit D-Bus signal
2761
mandos_dbus_service.ClientNotFound(key_id or fpr,
2573
mandos_dbus_service.ClientNotFound(fpr,
2762
2574
address[0])
2763
2575
parent_pipe.send(False)
2764
2576
return False
2765
2577
2766
2578
GLib.io_add_watch(
2767
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2768
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2579
parent_pipe.fileno(),
2580
GLib.IO_IN | GLib.IO_HUP,
2769
2581
functools.partial(self.handle_ipc,
2770
parent_pipe=parent_pipe,
2771
proc=proc,
2772
client_object=client))
2582
parent_pipe = parent_pipe,
2583
proc = proc,
2584
client_object = client))
2773
2585
parent_pipe.send(True)
2774
2586
# remove the old hook in favor of the new above hook on
2775
2587
# same fileno
2776
2588
return False
2777
if command == "funcall":
2589
if command == 'funcall':
2778
2590
funcname = request[1]
2779
2591
args = request[2]
2780
2592
kwargs = request[3]
2781
2782
parent_pipe.send(("data", getattr(client_object,
2593
2594
parent_pipe.send(('data', getattr(client_object,
2783
2595
funcname)(*args,
2784
2596
**kwargs)))
2785
2786
if command == "getattr":
2597
2598
if command == 'getattr':
2787
2599
attrname = request[1]
2788
2600
if isinstance(client_object.__getattribute__(attrname),
2789
collections.abc.Callable):
2790
parent_pipe.send(("function", ))
2601
collections.Callable):
2602
parent_pipe.send(('function', ))
2791
2603
else:
2792
2604
parent_pipe.send((
2793
"data", client_object.__getattribute__(attrname)))
2794
2795
if command == "setattr":
2605
'data', client_object.__getattribute__(attrname)))
2606
2607
if command == 'setattr':
2796
2608
attrname = request[1]
2797
2609
value = request[2]
2798
2610
setattr(client_object, attrname, value)
2799
2611
2800
2612
return True
2801
2613
2802
2614
2803
2615
def rfc3339_duration_to_delta(duration):
2804
2616
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2805
2806
>>> timedelta = datetime.timedelta
2807
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2808
True
2809
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2810
True
2811
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2812
True
2813
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2814
True
2815
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2816
True
2817
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2818
True
2819
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2820
True
2821
>>> del timedelta
2617
2618
>>> rfc3339_duration_to_delta("P7D")
2619
datetime.timedelta(7)
2620
>>> rfc3339_duration_to_delta("PT60S")
2621
datetime.timedelta(0, 60)
2622
>>> rfc3339_duration_to_delta("PT60M")
2623
datetime.timedelta(0, 3600)
2624
>>> rfc3339_duration_to_delta("PT24H")
2625
datetime.timedelta(1)
2626
>>> rfc3339_duration_to_delta("P1W")
2627
datetime.timedelta(7)
2628
>>> rfc3339_duration_to_delta("PT5M30S")
2629
datetime.timedelta(0, 330)
2630
>>> rfc3339_duration_to_delta("P1DT3M20S")
2631
datetime.timedelta(1, 200)
2822
2632
"""
2823
2633
2824
2634
# Parsing an RFC 3339 duration with regular expressions is not
2825
2635
# possible - there would have to be multiple places for the same
2826
2636
# values, like seconds. The current code, while more esoteric, is
2827
2637
# cleaner without depending on a parsing library. If Python had a
2828
2638
# built-in library for parsing we would use it, but we'd like to
2829
2639
# avoid excessive use of external libraries.
2830
2640
2831
2641
# New type for defining tokens, syntax, and semantics all-in-one
2832
2642
Token = collections.namedtuple("Token", (
2833
2643
"regexp", # To match token; if "value" is not None, must have
2866
2676
frozenset((token_year, token_month,
2867
2677
token_day, token_time,
2868
2678
token_week)))
2869
# Define starting values:
2870
# Value so far
2871
value = datetime.timedelta()
2679
# Define starting values
2680
value = datetime.timedelta() # Value so far
2872
2681
found_token = None
2873
# Following valid tokens
2874
followers = frozenset((token_duration, ))
2875
# String left to parse
2876
s = duration
2682
followers = frozenset((token_duration, )) # Following valid tokens
2683
s = duration # String left to parse
2877
2684
# Loop until end token is found
2878
2685
while found_token is not token_end:
2879
2686
# Search for any currently valid tokens
2903
2710
2904
2711
def string_to_delta(interval):
2905
2712
"""Parse a string and return a datetime.timedelta
2906
2907
>>> string_to_delta("7d") == datetime.timedelta(7)
2908
True
2909
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2910
True
2911
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2912
True
2913
>>> string_to_delta("24h") == datetime.timedelta(1)
2914
True
2915
>>> string_to_delta("1w") == datetime.timedelta(7)
2916
True
2917
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
2918
True
2713
2714
>>> string_to_delta('7d')
2715
datetime.timedelta(7)
2716
>>> string_to_delta('60s')
2717
datetime.timedelta(0, 60)
2718
>>> string_to_delta('60m')
2719
datetime.timedelta(0, 3600)
2720
>>> string_to_delta('24h')
2721
datetime.timedelta(1)
2722
>>> string_to_delta('1w')
2723
datetime.timedelta(7)
2724
>>> string_to_delta('5m 30s')
2725
datetime.timedelta(0, 330)
2919
2726
"""
2920
2727
2921
2728
try:
2922
2729
return rfc3339_duration_to_delta(interval)
2923
2730
except ValueError:
2924
2731
pass
2925
2732
2926
2733
timevalue = datetime.timedelta(0)
2927
2734
for s in interval.split():
2928
2735
try:
2946
2753
return timevalue
2947
2754
2948
2755
2949
def daemon(nochdir=False, noclose=False):
2756
def daemon(nochdir = False, noclose = False):
2950
2757
"""See daemon(3). Standard BSD Unix function.
2951
2758
2952
2759
This should really exist as os.daemon, but it doesn't (yet)."""
2953
2760
if os.fork():
2954
2761
sys.exit()
2972
2779
2973
2780
2974
2781
def main():
2975
2782
2976
2783
##################################################################
2977
2784
# Parsing of options, both command line and config file
2978
2785
2979
2786
parser = argparse.ArgumentParser()
2980
2787
parser.add_argument("-v", "--version", action="version",
2981
version="%(prog)s {}".format(version),
2788
version = "%(prog)s {}".format(version),
2982
2789
help="show version number and exit")
2983
2790
parser.add_argument("-i", "--interface", metavar="IF",
2984
2791
help="Bind to interface IF")
3020
2827
parser.add_argument("--no-zeroconf", action="store_false",
3021
2828
dest="zeroconf", help="Do not use Zeroconf",
3022
2829
default=None)
3023
2830
3024
2831
options = parser.parse_args()
3025
2832
2833
if options.check:
2834
import doctest
2835
fail_count, test_count = doctest.testmod()
2836
sys.exit(os.EX_OK if fail_count == 0 else 1)
2837
3026
2838
# Default values for config file for server-global settings
3027
if gnutls.has_rawpk:
3028
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3029
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3030
else:
3031
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3032
":+SIGN-DSA-SHA256")
3033
server_defaults = {"interface": "",
3034
"address": "",
3035
"port": "",
3036
"debug": "False",
3037
"priority": priority,
3038
"servicename": "Mandos",
3039
"use_dbus": "True",
3040
"use_ipv6": "True",
3041
"debuglevel": "",
3042
"restore": "True",
3043
"socket": "",
3044
"statedir": "/var/lib/mandos",
3045
"foreground": "False",
3046
"zeroconf": "True",
3047
}
3048
del priority
3049
2839
server_defaults = { "interface": "",
2840
"address": "",
2841
"port": "",
2842
"debug": "False",
2843
"priority":
2844
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2845
":+SIGN-DSA-SHA256",
2846
"servicename": "Mandos",
2847
"use_dbus": "True",
2848
"use_ipv6": "True",
2849
"debuglevel": "",
2850
"restore": "True",
2851
"socket": "",
2852
"statedir": "/var/lib/mandos",
2853
"foreground": "False",
2854
"zeroconf": "True",
2855
}
2856
3050
2857
# Parse config file for server-global settings
3051
server_config = configparser.ConfigParser(server_defaults)
2858
server_config = configparser.SafeConfigParser(server_defaults)
3052
2859
del server_defaults
3053
2860
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3054
# Convert the ConfigParser object to a dict
2861
# Convert the SafeConfigParser object to a dict
3055
2862
server_settings = server_config.defaults()
3056
2863
# Use the appropriate methods on the non-string config options
3057
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3058
"foreground", "zeroconf"):
2864
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3059
2865
server_settings[option] = server_config.getboolean("DEFAULT",
3060
2866
option)
3061
2867
if server_settings["port"]:
3071
2877
server_settings["socket"] = os.dup(server_settings
3072
2878
["socket"])
3073
2879
del server_config
3074
2880
3075
2881
# Override the settings from the config file with command line
3076
2882
# options, if set.
3077
2883
for option in ("interface", "address", "port", "debug",
3095
2901
if server_settings["debug"]:
3096
2902
server_settings["foreground"] = True
3097
2903
# Now we have our good server settings in "server_settings"
3098
2904
3099
2905
##################################################################
3100
2906
3101
2907
if (not server_settings["zeroconf"]
3102
2908
and not (server_settings["port"]
3103
2909
or server_settings["socket"] != "")):
3104
2910
parser.error("Needs port or socket to work without Zeroconf")
3105
2911
3106
2912
# For convenience
3107
2913
debug = server_settings["debug"]
3108
2914
debuglevel = server_settings["debuglevel"]
3112
2918
stored_state_file)
3113
2919
foreground = server_settings["foreground"]
3114
2920
zeroconf = server_settings["zeroconf"]
3115
2921
3116
2922
if debug:
3117
2923
initlogger(debug, logging.DEBUG)
3118
2924
else:
3121
2927
else:
3122
2928
level = getattr(logging, debuglevel.upper())
3123
2929
initlogger(debug, level)
3124
2930
3125
2931
if server_settings["servicename"] != "Mandos":
3126
2932
syslogger.setFormatter(
3127
logging.Formatter("Mandos ({}) [%(process)d]:"
3128
" %(levelname)s: %(message)s".format(
2933
logging.Formatter('Mandos ({}) [%(process)d]:'
2934
' %(levelname)s: %(message)s'.format(
3129
2935
server_settings["servicename"])))
3130
2936
3131
2937
# Parse config file with clients
3132
client_config = configparser.ConfigParser(Client.client_defaults)
2938
client_config = configparser.SafeConfigParser(Client
2939
.client_defaults)
3133
2940
client_config.read(os.path.join(server_settings["configdir"],
3134
2941
"clients.conf"))
3135
2942
3136
2943
global mandos_dbus_service
3137
2944
mandos_dbus_service = None
3138
2945
3139
2946
socketfd = None
3140
2947
if server_settings["socket"] != "":
3141
2948
socketfd = server_settings["socket"]
3155
2962
try:
3156
2963
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
3157
2964
except IOError as e:
3158
log.error("Could not open file %r", pidfilename,
3159
exc_info=e)
3160
2965
logger.error("Could not open file %r", pidfilename,
2966
exc_info=e)
2967
3161
2968
for name, group in (("_mandos", "_mandos"),
3162
2969
("mandos", "mandos"),
3163
2970
("nobody", "nogroup")):
3173
2980
try:
3174
2981
os.setgid(gid)
3175
2982
os.setuid(uid)
3176
log.debug("Did setuid/setgid to %s:%s", uid, gid)
2983
if debug:
2984
logger.debug("Did setuid/setgid to {}:{}".format(uid,
2985
gid))
3177
2986
except OSError as error:
3178
log.warning("Failed to setuid/setgid to %s:%s: %s", uid, gid,
3179
os.strerror(error.errno))
2987
logger.warning("Failed to setuid/setgid to {}:{}: {}"
2988
.format(uid, gid, os.strerror(error.errno)))
3180
2989
if error.errno != errno.EPERM:
3181
2990
raise
3182
2991
3183
2992
if debug:
3184
2993
# Enable all possible GnuTLS debugging
3185
2994
3186
2995
# "Use a log level over 10 to enable all debugging options."
3187
2996
# - GnuTLS manual
3188
2997
gnutls.global_set_log_level(11)
3189
2998
3190
2999
@gnutls.log_func
3191
3000
def debug_gnutls(level, string):
3192
log.debug("GnuTLS: %s",
3193
string[:-1].decode("utf-8", errors="replace"))
3194
3001
logger.debug("GnuTLS: %s", string[:-1])
3002
3195
3003
gnutls.global_set_log_function(debug_gnutls)
3196
3004
3197
3005
# Redirect stdin so all checkers get /dev/null
3198
3006
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3199
3007
os.dup2(null, sys.stdin.fileno())
3200
3008
if null > 2:
3201
3009
os.close(null)
3202
3010
3203
3011
# Need to fork before connecting to D-Bus
3204
3012
if not foreground:
3205
3013
# Close all input and output, do double fork, etc.
3206
3014
daemon()
3207
3208
if gi.version_info < (3, 10, 2):
3209
# multiprocessing will use threads, so before we use GLib we
3210
# need to inform GLib that threads will be used.
3211
GLib.threads_init()
3212
3015
3016
# multiprocessing will use threads, so before we use GLib we need
3017
# to inform GLib that threads will be used.
3018
GLib.threads_init()
3019
3213
3020
global main_loop
3214
3021
# From the Avahi example code
3215
3022
DBusGMainLoop(set_as_default=True)
3225
3032
"se.bsnet.fukt.Mandos", bus,
3226
3033
do_not_queue=True)
3227
3034
except dbus.exceptions.DBusException as e:
3228
log.error("Disabling D-Bus:", exc_info=e)
3035
logger.error("Disabling D-Bus:", exc_info=e)
3229
3036
use_dbus = False
3230
3037
server_settings["use_dbus"] = False
3231
3038
tcp_server.use_dbus = False
3232
3039
if zeroconf:
3233
3040
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3234
3041
service = AvahiServiceToSyslog(
3235
name=server_settings["servicename"],
3236
servicetype="_mandos._tcp",
3237
protocol=protocol,
3238
bus=bus)
3042
name = server_settings["servicename"],
3043
servicetype = "_mandos._tcp",
3044
protocol = protocol,
3045
bus = bus)
3239
3046
if server_settings["interface"]:
3240
3047
service.interface = if_nametoindex(
3241
3048
server_settings["interface"].encode("utf-8"))
3242
3049
3243
3050
global multiprocessing_manager
3244
3051
multiprocessing_manager = multiprocessing.Manager()
3245
3052
3246
3053
client_class = Client
3247
3054
if use_dbus:
3248
client_class = functools.partial(ClientDBus, bus=bus)
3249
3055
client_class = functools.partial(ClientDBus, bus = bus)
3056
3250
3057
client_settings = Client.config_parser(client_config)
3251
3058
old_client_settings = {}
3252
3059
clients_data = {}
3253
3060
3254
3061
# This is used to redirect stdout and stderr for checker processes
3255
3062
global wnull
3256
wnull = open(os.devnull, "w") # A writable /dev/null
3063
wnull = open(os.devnull, "w") # A writable /dev/null
3257
3064
# Only used if server is running in foreground but not in debug
3258
3065
# mode
3259
3066
if debug or not foreground:
3260
3067
wnull.close()
3261
3068
3262
3069
# Get client data and settings from last running state.
3263
3070
if server_settings["restore"]:
3264
3071
try:
3265
3072
with open(stored_state_path, "rb") as stored_state:
3266
if sys.version_info.major == 2:
3073
if sys.version_info.major == 2:
3267
3074
clients_data, old_client_settings = pickle.load(
3268
3075
stored_state)
3269
3076
else:
3270
3077
bytes_clients_data, bytes_old_client_settings = (
3271
pickle.load(stored_state, encoding="bytes"))
3272
# Fix bytes to strings
3273
# clients_data
3078
pickle.load(stored_state, encoding = "bytes"))
3079
### Fix bytes to strings
3080
## clients_data
3274
3081
# .keys()
3275
clients_data = {(key.decode("utf-8")
3276
if isinstance(key, bytes)
3277
else key): value
3278
for key, value in
3279
bytes_clients_data.items()}
3082
clients_data = { (key.decode("utf-8")
3083
if isinstance(key, bytes)
3084
else key): value
3085
for key, value in
3086
bytes_clients_data.items() }
3280
3087
del bytes_clients_data
3281
3088
for key in clients_data:
3282
value = {(k.decode("utf-8")
3283
if isinstance(k, bytes) else k): v
3284
for k, v in
3285
clients_data[key].items()}
3089
value = { (k.decode("utf-8")
3090
if isinstance(k, bytes) else k): v
3091
for k, v in
3092
clients_data[key].items() }
3286
3093
clients_data[key] = value
3287
3094
# .client_structure
3288
3095
value["client_structure"] = [
3289
3096
(s.decode("utf-8")
3290
3097
if isinstance(s, bytes)
3291
3098
else s) for s in
3292
value["client_structure"]]
3293
# .name, .host, and .checker_command
3294
for k in ("name", "host", "checker_command"):
3099
value["client_structure"] ]
3100
# .name & .host
3101
for k in ("name", "host"):
3295
3102
if isinstance(value[k], bytes):
3296
3103
value[k] = value[k].decode("utf-8")
3297
if "key_id" not in value:
3298
value["key_id"] = ""
3299
elif "fingerprint" not in value:
3300
value["fingerprint"] = ""
3301
# old_client_settings
3104
## old_client_settings
3302
3105
# .keys()
3303
3106
old_client_settings = {
3304
3107
(key.decode("utf-8")
3305
3108
if isinstance(key, bytes)
3306
3109
else key): value
3307
3110
for key, value in
3308
bytes_old_client_settings.items()}
3111
bytes_old_client_settings.items() }
3309
3112
del bytes_old_client_settings
3310
# .host and .checker_command
3113
# .host
3311
3114
for value in old_client_settings.values():
3312
for attribute in ("host", "checker_command"):
3313
if isinstance(value[attribute], bytes):
3314
value[attribute] = (value[attribute]
3315
.decode("utf-8"))
3115
if isinstance(value["host"], bytes):
3116
value["host"] = (value["host"]
3117
.decode("utf-8"))
3316
3118
os.remove(stored_state_path)
3317
3119
except IOError as e:
3318
3120
if e.errno == errno.ENOENT:
3319
log.warning("Could not load persistent state:"
3320
" %s", os.strerror(e.errno))
3121
logger.warning("Could not load persistent state:"
3122
" {}".format(os.strerror(e.errno)))
3321
3123
else:
3322
log.critical("Could not load persistent state:",
3323
exc_info=e)
3124
logger.critical("Could not load persistent state:",
3125
exc_info=e)
3324
3126
raise
3325
3127
except EOFError as e:
3326
log.warning("Could not load persistent state: EOFError:",
3327
exc_info=e)
3328
3128
logger.warning("Could not load persistent state: "
3129
"EOFError:",
3130
exc_info=e)
3131
3329
3132
with PGPEngine() as pgp:
3330
3133
for client_name, client in clients_data.items():
3331
3134
# Skip removed clients
3332
3135
if client_name not in client_settings:
3333
3136
continue
3334
3137
3335
3138
# Decide which value to use after restoring saved state.
3336
3139
# We have three different values: Old config file,
3337
3140
# new config file, and saved state.
3348
3151
client[name] = value
3349
3152
except KeyError:
3350
3153
pass
3351
3154
3352
3155
# Clients who has passed its expire date can still be
3353
3156
# enabled if its last checker was successful. A Client
3354
3157
# whose checker succeeded before we stored its state is
3357
3160
if client["enabled"]:
3358
3161
if datetime.datetime.utcnow() >= client["expires"]:
3359
3162
if not client["last_checked_ok"]:
3360
log.warning("disabling client %s - Client"
3361
" never performed a successful"
3362
" checker", client_name)
3163
logger.warning(
3164
"disabling client {} - Client never "
3165
"performed a successful checker".format(
3166
client_name))
3363
3167
client["enabled"] = False
3364
3168
elif client["last_checker_status"] != 0:
3365
log.warning("disabling client %s - Client"
3366
" last checker failed with error"
3367
" code %s", client_name,
3368
client["last_checker_status"])
3169
logger.warning(
3170
"disabling client {} - Client last"
3171
" checker failed with error code"
3172
" {}".format(
3173
client_name,
3174
client["last_checker_status"]))
3369
3175
client["enabled"] = False
3370
3176
else:
3371
3177
client["expires"] = (
3372
3178
datetime.datetime.utcnow()
3373
3179
+ client["timeout"])
3374
log.debug("Last checker succeeded, keeping %s"
3375
" enabled", client_name)
3180
logger.debug("Last checker succeeded,"
3181
" keeping {} enabled".format(
3182
client_name))
3376
3183
try:
3377
3184
client["secret"] = pgp.decrypt(
3378
3185
client["encrypted_secret"],
3379
3186
client_settings[client_name]["secret"])
3380
3187
except PGPError:
3381
3188
# If decryption fails, we use secret from new settings
3382
log.debug("Failed to decrypt %s old secret",
3383
client_name)
3189
logger.debug("Failed to decrypt {} old secret".format(
3190
client_name))
3384
3191
client["secret"] = (client_settings[client_name]
3385
3192
["secret"])
3386
3193
3387
3194
# Add/remove clients based on new changes made to config
3388
3195
for client_name in (set(old_client_settings)
3389
3196
- set(client_settings)):
3391
3198
for client_name in (set(client_settings)
3392
3199
- set(old_client_settings)):
3393
3200
clients_data[client_name] = client_settings[client_name]
3394
3201
3395
3202
# Create all client objects
3396
3203
for client_name, client in clients_data.items():
3397
3204
tcp_server.clients[client_name] = client_class(
3398
name=client_name,
3399
settings=client,
3400
server_settings=server_settings)
3401
3205
name = client_name,
3206
settings = client,
3207
server_settings = server_settings)
3208
3402
3209
if not tcp_server.clients:
3403
log.warning("No clients defined")
3404
3210
logger.warning("No clients defined")
3211
3405
3212
if not foreground:
3406
3213
if pidfile is not None:
3407
3214
pid = os.getpid()
3409
3216
with pidfile:
3410
3217
print(pid, file=pidfile)
3411
3218
except IOError:
3412
log.error("Could not write to file %r with PID %d",
3413
pidfilename, pid)
3219
logger.error("Could not write to file %r with PID %d",
3220
pidfilename, pid)
3414
3221
del pidfile
3415
3222
del pidfilename
3416
3223
3417
3224
for termsig in (signal.SIGHUP, signal.SIGTERM):
3418
3225
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3419
3226
lambda: main_loop.quit() and False)
3420
3227
3421
3228
if use_dbus:
3422
3229
3423
3230
@alternate_dbus_interfaces(
3424
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3231
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3425
3232
class MandosDBusService(DBusObjectWithObjectManager):
3426
3233
"""A D-Bus proxy object"""
3427
3234
3428
3235
def __init__(self):
3429
3236
dbus.service.Object.__init__(self, bus, "/")
3430
3237
3431
3238
_interface = "se.recompile.Mandos"
3432
3239
3433
3240
@dbus.service.signal(_interface, signature="o")
3434
3241
def ClientAdded(self, objpath):
3435
3242
"D-Bus signal"
3436
3243
pass
3437
3244
3438
3245
@dbus.service.signal(_interface, signature="ss")
3439
def ClientNotFound(self, key_id, address):
3246
def ClientNotFound(self, fingerprint, address):
3440
3247
"D-Bus signal"
3441
3248
pass
3442
3249
3443
3250
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3444
3251
"true"})
3445
3252
@dbus.service.signal(_interface, signature="os")
3446
3253
def ClientRemoved(self, objpath, name):
3447
3254
"D-Bus signal"
3448
3255
pass
3449
3256
3450
3257
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3451
3258
"true"})
3452
3259
@dbus.service.method(_interface, out_signature="ao")
3454
3261
"D-Bus method"
3455
3262
return dbus.Array(c.dbus_object_path for c in
3456
3263
tcp_server.clients.values())
3457
3264
3458
3265
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3459
3266
"true"})
3460
3267
@dbus.service.method(_interface,
3462
3269
def GetAllClientsWithProperties(self):
3463
3270
"D-Bus method"
3464
3271
return dbus.Dictionary(
3465
{c.dbus_object_path: c.GetAll(
3272
{ c.dbus_object_path: c.GetAll(
3466
3273
"se.recompile.Mandos.Client")
3467
for c in tcp_server.clients.values()},
3274
for c in tcp_server.clients.values() },
3468
3275
signature="oa{sv}")
3469
3276
3470
3277
@dbus.service.method(_interface, in_signature="o")
3471
3278
def RemoveClient(self, object_path):
3472
3279
"D-Bus method"
3480
3287
self.client_removed_signal(c)
3481
3288
return
3482
3289
raise KeyError(object_path)
3483
3290
3484
3291
del _interface
3485
3292
3486
3293
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3487
out_signature="a{oa{sa{sv}}}")
3294
out_signature = "a{oa{sa{sv}}}")
3488
3295
def GetManagedObjects(self):
3489
3296
"""D-Bus method"""
3490
3297
return dbus.Dictionary(
3491
{client.dbus_object_path:
3492
dbus.Dictionary(
3493
{interface: client.GetAll(interface)
3494
for interface in
3495
client._get_all_interface_names()})
3496
for client in tcp_server.clients.values()})
3497
3298
{ client.dbus_object_path:
3299
dbus.Dictionary(
3300
{ interface: client.GetAll(interface)
3301
for interface in
3302
client._get_all_interface_names()})
3303
for client in tcp_server.clients.values()})
3304
3498
3305
def client_added_signal(self, client):
3499
3306
"""Send the new standard signal and the old signal"""
3500
3307
if use_dbus:
3502
3309
self.InterfacesAdded(
3503
3310
client.dbus_object_path,
3504
3311
dbus.Dictionary(
3505
{interface: client.GetAll(interface)
3506
for interface in
3507
client._get_all_interface_names()}))
3312
{ interface: client.GetAll(interface)
3313
for interface in
3314
client._get_all_interface_names()}))
3508
3315
# Old signal
3509
3316
self.ClientAdded(client.dbus_object_path)
3510
3317
3511
3318
def client_removed_signal(self, client):
3512
3319
"""Send the new standard signal and the old signal"""
3513
3320
if use_dbus:
3518
3325
# Old signal
3519
3326
self.ClientRemoved(client.dbus_object_path,
3520
3327
client.name)
3521
3328
3522
3329
mandos_dbus_service = MandosDBusService()
3523
3330
3524
3331
# Save modules to variables to exempt the modules from being
3525
3332
# unloaded before the function registered with atexit() is run.
3526
3333
mp = multiprocessing
3527
3334
wn = wnull
3528
3529
3335
def cleanup():
3530
3336
"Cleanup function; run on exit"
3531
3337
if zeroconf:
3532
3338
service.cleanup()
3533
3339
3534
3340
mp.active_children()
3535
3341
wn.close()
3536
3342
if not (tcp_server.clients or client_settings):
3537
3343
return
3538
3344
3539
3345
# Store client before exiting. Secrets are encrypted with key
3540
3346
# based on what config file has. If config file is
3541
3347
# removed/edited, old secret will thus be unrecovable.
3546
3352
client.encrypted_secret = pgp.encrypt(client.secret,
3547
3353
key)
3548
3354
client_dict = {}
3549
3355
3550
3356
# A list of attributes that can not be pickled
3551
3357
# + secret.
3552
exclude = {"bus", "changedstate", "secret",
3553
"checker", "server_settings"}
3358
exclude = { "bus", "changedstate", "secret",
3359
"checker", "server_settings" }
3554
3360
for name, typ in inspect.getmembers(dbus.service
3555
3361
.Object):
3556
3362
exclude.add(name)
3557
3363
3558
3364
client_dict["encrypted_secret"] = (client
3559
3365
.encrypted_secret)
3560
3366
for attr in client.client_structure:
3561
3367
if attr not in exclude:
3562
3368
client_dict[attr] = getattr(client, attr)
3563
3369
3564
3370
clients[client.name] = client_dict
3565
3371
del client_settings[client.name]["secret"]
3566
3372
3567
3373
try:
3568
3374
with tempfile.NamedTemporaryFile(
3569
mode="wb",
3375
mode='wb',
3570
3376
suffix=".pickle",
3571
prefix="clients-",
3377
prefix='clients-',
3572
3378
dir=os.path.dirname(stored_state_path),
3573
3379
delete=False) as stored_state:
3574
3380
pickle.dump((clients, client_settings), stored_state,
3575
protocol=2)
3381
protocol = 2)
3576
3382
tempname = stored_state.name
3577
3383
os.rename(tempname, stored_state_path)
3578
3384
except (IOError, OSError) as e:
3582
3388
except NameError:
3583
3389
pass
3584
3390
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
3585
log.warning("Could not save persistent state: %s",
3586
os.strerror(e.errno))
3391
logger.warning("Could not save persistent state: {}"
3392
.format(os.strerror(e.errno)))
3587
3393
else:
3588
log.warning("Could not save persistent state:",
3589
exc_info=e)
3394
logger.warning("Could not save persistent state:",
3395
exc_info=e)
3590
3396
raise
3591
3397
3592
3398
# Delete all clients, and settings from config
3593
3399
while tcp_server.clients:
3594
3400
name, client = tcp_server.clients.popitem()
3600
3406
if use_dbus:
3601
3407
mandos_dbus_service.client_removed_signal(client)
3602
3408
client_settings.clear()
3603
3409
3604
3410
atexit.register(cleanup)
3605
3411
3606
3412
for client in tcp_server.clients.values():
3607
3413
if use_dbus:
3608
3414
# Emit D-Bus signal for adding
3610
3416
# Need to initiate checking of clients
3611
3417
if client.enabled:
3612
3418
client.init_checker()
3613
3419
3614
3420
tcp_server.enable()
3615
3421
tcp_server.server_activate()
3616
3422
3617
3423
# Find out what port we got
3618
3424
if zeroconf:
3619
3425
service.port = tcp_server.socket.getsockname()[1]
3620
3426
if use_ipv6:
3621
log.info("Now listening on address %r, port %d, flowinfo %d,"
3622
" scope_id %d", *tcp_server.socket.getsockname())
3427
logger.info("Now listening on address %r, port %d,"
3428
" flowinfo %d, scope_id %d",
3429
*tcp_server.socket.getsockname())
3623
3430
else: # IPv4
3624
log.info("Now listening on address %r, port %d",
3625
*tcp_server.socket.getsockname())
3626
3627
# service.interface = tcp_server.socket.getsockname()[3]
3628
3431
logger.info("Now listening on address %r, port %d",
3432
*tcp_server.socket.getsockname())
3433
3434
#service.interface = tcp_server.socket.getsockname()[3]
3435
3629
3436
try:
3630
3437
if zeroconf:
3631
3438
# From the Avahi example code
3632
3439
try:
3633
3440
service.activate()
3634
3441
except dbus.exceptions.DBusException as error:
3635
log.critical("D-Bus Exception", exc_info=error)
3442
logger.critical("D-Bus Exception", exc_info=error)
3636
3443
cleanup()
3637
3444
sys.exit(1)
3638
3445
# End of Avahi example code
3639
3640
GLib.io_add_watch(
3641
GLib.IOChannel.unix_new(tcp_server.fileno()),
3642
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3643
lambda *args, **kwargs: (tcp_server.handle_request
3644
(*args[2:], **kwargs) or True))
3645
3646
log.debug("Starting main loop")
3446
3447
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3448
lambda *args, **kwargs:
3449
(tcp_server.handle_request
3450
(*args[2:], **kwargs) or True))
3451
3452
logger.debug("Starting main loop")
3647
3453
main_loop.run()
3648
3454
except AvahiError as error:
3649
log.critical("Avahi Error", exc_info=error)
3455
logger.critical("Avahi Error", exc_info=error)
3650
3456
cleanup()
3651
3457
sys.exit(1)
3652
3458
except KeyboardInterrupt:
3653
3459
if debug:
3654
3460
print("", file=sys.stderr)
3655
log.debug("Server received KeyboardInterrupt")
3656
log.debug("Server exiting")
3461
logger.debug("Server received KeyboardInterrupt")
3462
logger.debug("Server exiting")
3657
3463
# Must run before the D-Bus bus name gets deregistered
3658
3464
cleanup()
3659
3465
3660
3661
def parse_test_args():
3662
# type: () -> argparse.Namespace
3663
parser = argparse.ArgumentParser(add_help=False)
3664
parser.add_argument("--check", action="store_true")
3665
parser.add_argument("--prefix", )
3666
args, unknown_args = parser.parse_known_args()
3667
if args.check:
3668
# Remove test options from sys.argv
3669
sys.argv[1:] = unknown_args
3670
return args
3671
3672
# Add all tests from doctest strings
3673
def load_tests(loader, tests, none):
3674
import doctest
3675
tests.addTests(doctest.DocTestSuite())
3676
return tests
3677
3678
if __name__ == "__main__":
3679
options = parse_test_args()
3680
try:
3681
if options.check:
3682
extra_test_prefix = options.prefix
3683
if extra_test_prefix is not None:
3684
if not (unittest.main(argv=[""], exit=False)
3685
.result.wasSuccessful()):
3686
sys.exit(1)
3687
class ExtraTestLoader(unittest.TestLoader):
3688
testMethodPrefix = extra_test_prefix
3689
# Call using ./scriptname --test [--verbose]
3690
unittest.main(argv=[""], testLoader=ExtraTestLoader())
3691
else:
3692
unittest.main(argv=[""])
3693
else:
3694
main()
3695
finally:
3696
logging.shutdown()
3697
3698
# Local Variables:
3699
# run-tests:
3700
# (lambda (&optional extra)
3701
# (if (not (funcall run-tests-in-test-buffer default-directory
3702
# extra))
3703
# (funcall show-test-buffer-in-test-window)
3704
# (funcall remove-test-window)
3705
# (if extra (message "Extra tests run successfully!"))))
3706
# run-tests-in-test-buffer:
3707
# (lambda (dir &optional extra)
3708
# (with-current-buffer (get-buffer-create "*Test*")
3709
# (setq buffer-read-only nil
3710
# default-directory dir)
3711
# (erase-buffer)
3712
# (compilation-mode))
3713
# (let ((process-result
3714
# (let ((inhibit-read-only t))
3715
# (process-file-shell-command
3716
# (funcall get-command-line extra) nil "*Test*"))))
3717
# (and (numberp process-result)
3718
# (= process-result 0))))
3719
# get-command-line:
3720
# (lambda (&optional extra)
3721
# (let ((quoted-script
3722
# (shell-quote-argument (funcall get-script-name))))
3723
# (format
3724
# (concat "%s --check" (if extra " --prefix=atest" ""))
3725
# quoted-script)))
3726
# get-script-name:
3727
# (lambda ()
3728
# (if (fboundp 'file-local-name)
3729
# (file-local-name (buffer-file-name))
3730
# (or (file-remote-p (buffer-file-name) 'localname)
3731
# (buffer-file-name))))
3732
# remove-test-window:
3733
# (lambda ()
3734
# (let ((test-window (get-buffer-window "*Test*")))
3735
# (if test-window (delete-window test-window))))
3736
# show-test-buffer-in-test-window:
3737
# (lambda ()
3738
# (when (not (get-buffer-window-list "*Test*"))
3739
# (setq next-error-last-buffer (get-buffer "*Test*"))
3740
# (let* ((side (if (>= (window-width) 146) 'right 'bottom))
3741
# (display-buffer-overriding-action
3742
# `((display-buffer-in-side-window) (side . ,side)
3743
# (window-height . fit-window-to-buffer)
3744
# (window-width . fit-window-to-buffer))))
3745
# (display-buffer "*Test*"))))
3746
# eval:
3747
# (progn
3748
# (let* ((run-extra-tests (lambda () (interactive)
3749
# (funcall run-tests t)))
3750
# (inner-keymap `(keymap (116 . ,run-extra-tests))) ; t
3751
# (outer-keymap `(keymap (3 . ,inner-keymap)))) ; C-c
3752
# (setq minor-mode-overriding-map-alist
3753
# (cons `(run-tests . ,outer-keymap)
3754
# minor-mode-overriding-map-alist)))
3755
# (add-hook 'after-save-hook run-tests 90 t))
3756
# End:
3466
3467
if __name__ == '__main__':
3468
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0