To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 793
- compare with another revision
- download diff
- download tarball
- view history from revision 793
- Committer: Teddy Hogeborn
- Date: 2015-12-03 21:06:34 UTC
- Revision ID: teddy@recompile.se-20151203210634-5dcyccalld40cygn
* debian/rules (override_dh_fixperms): Split into
"override_dh_fixperms-arch" and
"override_dh_fixperms-indep".
Fixes Debian bug #806073.
"override_dh_fixperms-arch" and
"override_dh_fixperms-indep".
Fixes Debian bug #806073.
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
19
19
# the Free Software Foundation, either version 3 of the License, or
23
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
25
# GNU General Public License for more details.
26
#
26
#
27
27
# You should have received a copy of the GNU General Public License
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
#
30
#
31
31
# Contact the authors at <mandos@recompile.se>.
32
#
32
#
33
33
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
try:
38
from future_builtins import *
39
except ImportError:
40
pass
37
from future_builtins import *
41
38
42
39
try:
43
40
import SocketServer as socketserver
47
44
import argparse
48
45
import datetime
49
46
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
50
53
try:
51
54
import ConfigParser as configparser
52
55
except ImportError:
79
82
80
83
import dbus
81
84
import dbus.service
82
from gi.repository import GLib
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
83
90
from dbus.mainloop.glib import DBusGMainLoop
84
91
import ctypes
85
92
import ctypes.util
86
93
import xml.dom.minidom
87
94
import inspect
88
95
89
# Try to find the value of SO_BINDTODEVICE:
90
96
try:
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
92
# newer, and it is also the most natural place for it:
93
97
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
94
98
except AttributeError:
95
99
try:
96
# This is where SO_BINDTODEVICE was up to and including Python
97
# 2.6, and also 3.2:
98
100
from IN import SO_BINDTODEVICE
99
101
except ImportError:
100
# In Python 2.7 it seems to have been removed entirely.
101
# Try running the C preprocessor:
102
try:
103
cc = subprocess.Popen(["cc", "--language=c", "-E",
104
"/dev/stdin"],
105
stdin=subprocess.PIPE,
106
stdout=subprocess.PIPE)
107
stdout = cc.communicate(
108
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
109
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
110
except (OSError, ValueError, IndexError):
111
# No value found
112
SO_BINDTODEVICE = None
102
SO_BINDTODEVICE = None
113
103
114
104
if sys.version_info.major == 2:
115
105
str = unicode
116
106
117
version = "1.7.13"
107
version = "1.7.1"
118
108
stored_state_file = "clients.pickle"
119
109
120
110
logger = logging.getLogger()
124
114
if_nametoindex = ctypes.cdll.LoadLibrary(
125
115
ctypes.util.find_library("c")).if_nametoindex
126
116
except (OSError, AttributeError):
127
117
128
118
def if_nametoindex(interface):
129
119
"Get an interface index the hard way, i.e. using fcntl()"
130
120
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
135
125
return interface_index
136
126
137
127
138
def copy_function(func):
139
"""Make a copy of a function"""
140
if sys.version_info.major == 2:
141
return types.FunctionType(func.func_code,
142
func.func_globals,
143
func.func_name,
144
func.func_defaults,
145
func.func_closure)
146
else:
147
return types.FunctionType(func.__code__,
148
func.__globals__,
149
func.__name__,
150
func.__defaults__,
151
func.__closure__)
152
153
154
128
def initlogger(debug, level=logging.WARNING):
155
129
"""init logger and add loglevel"""
156
130
157
131
global syslogger
158
132
syslogger = (logging.handlers.SysLogHandler(
159
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
160
address="/dev/log"))
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
161
135
syslogger.setFormatter(logging.Formatter
162
136
('Mandos [%(process)d]: %(levelname)s:'
163
137
' %(message)s'))
164
138
logger.addHandler(syslogger)
165
139
166
140
if debug:
167
141
console = logging.StreamHandler()
168
142
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
180
154
181
155
class PGPEngine(object):
182
156
"""A simple class for OpenPGP symmetric encryption & decryption"""
183
157
184
158
def __init__(self):
185
159
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
186
self.gpg = "gpg"
187
try:
188
output = subprocess.check_output(["gpgconf"])
189
for line in output.splitlines():
190
name, text, path = line.split(b":")
191
if name == "gpg":
192
self.gpg = path
193
break
194
except OSError as e:
195
if e.errno != errno.ENOENT:
196
raise
197
160
self.gnupgargs = ['--batch',
198
'--homedir', self.tempdir,
161
'--home', self.tempdir,
199
162
'--force-mdc',
200
'--quiet']
201
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
203
self.gnupgargs.append("--no-use-agent")
204
163
'--quiet',
164
'--no-use-agent']
165
205
166
def __enter__(self):
206
167
return self
207
168
208
169
def __exit__(self, exc_type, exc_value, traceback):
209
170
self._cleanup()
210
171
return False
211
172
212
173
def __del__(self):
213
174
self._cleanup()
214
175
215
176
def _cleanup(self):
216
177
if self.tempdir is not None:
217
178
# Delete contents of tempdir
218
179
for root, dirs, files in os.walk(self.tempdir,
219
topdown=False):
180
topdown = False):
220
181
for filename in files:
221
182
os.remove(os.path.join(root, filename))
222
183
for dirname in dirs:
224
185
# Remove tempdir
225
186
os.rmdir(self.tempdir)
226
187
self.tempdir = None
227
188
228
189
def password_encode(self, password):
229
190
# Passphrase can not be empty and can not contain newlines or
230
191
# NUL bytes. So we prefix it and hex encode it.
235
196
.replace(b"\n", b"\\n")
236
197
.replace(b"\0", b"\\x00"))
237
198
return encoded
238
199
239
200
def encrypt(self, data, password):
240
201
passphrase = self.password_encode(password)
241
202
with tempfile.NamedTemporaryFile(
242
203
dir=self.tempdir) as passfile:
243
204
passfile.write(passphrase)
244
205
passfile.flush()
245
proc = subprocess.Popen([self.gpg, '--symmetric',
206
proc = subprocess.Popen(['gpg', '--symmetric',
246
207
'--passphrase-file',
247
208
passfile.name]
248
209
+ self.gnupgargs,
249
stdin=subprocess.PIPE,
250
stdout=subprocess.PIPE,
251
stderr=subprocess.PIPE)
252
ciphertext, err = proc.communicate(input=data)
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
253
214
if proc.returncode != 0:
254
215
raise PGPError(err)
255
216
return ciphertext
256
217
257
218
def decrypt(self, data, password):
258
219
passphrase = self.password_encode(password)
259
220
with tempfile.NamedTemporaryFile(
260
dir=self.tempdir) as passfile:
221
dir = self.tempdir) as passfile:
261
222
passfile.write(passphrase)
262
223
passfile.flush()
263
proc = subprocess.Popen([self.gpg, '--decrypt',
224
proc = subprocess.Popen(['gpg', '--decrypt',
264
225
'--passphrase-file',
265
226
passfile.name]
266
227
+ self.gnupgargs,
267
stdin=subprocess.PIPE,
268
stdout=subprocess.PIPE,
269
stderr=subprocess.PIPE)
270
decrypted_plaintext, err = proc.communicate(input=data)
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
271
232
if proc.returncode != 0:
272
233
raise PGPError(err)
273
234
return decrypted_plaintext
274
235
275
236
276
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
def string_array_to_txt_array(self, t):
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
for s in t), signature="ay")
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
293
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
294
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
295
SERVER_INVALID = 0 # avahi-common/defs.h
296
SERVER_REGISTERING = 1 # avahi-common/defs.h
297
SERVER_RUNNING = 2 # avahi-common/defs.h
298
SERVER_COLLISION = 3 # avahi-common/defs.h
299
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
302
303
237
class AvahiError(Exception):
304
238
def __init__(self, value, *args, **kwargs):
305
239
self.value = value
317
251
318
252
class AvahiService(object):
319
253
"""An Avahi (Zeroconf) service.
320
254
321
255
Attributes:
322
256
interface: integer; avahi.IF_UNSPEC or an interface index.
323
257
Used to optionally bind to the specified interface.
335
269
server: D-Bus Server
336
270
bus: dbus.SystemBus()
337
271
"""
338
272
339
273
def __init__(self,
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
350
284
self.interface = interface
351
285
self.name = name
352
286
self.type = servicetype
361
295
self.server = None
362
296
self.bus = bus
363
297
self.entry_group_state_changed_match = None
364
298
365
299
def rename(self, remove=True):
366
300
"""Derived from the Avahi example code"""
367
301
if self.rename_count >= self.max_renames:
387
321
logger.critical("D-Bus Exception", exc_info=error)
388
322
self.cleanup()
389
323
os._exit(1)
390
324
391
325
def remove(self):
392
326
"""Derived from the Avahi example code"""
393
327
if self.entry_group_state_changed_match is not None:
395
329
self.entry_group_state_changed_match = None
396
330
if self.group is not None:
397
331
self.group.Reset()
398
332
399
333
def add(self):
400
334
"""Derived from the Avahi example code"""
401
335
self.remove()
418
352
dbus.UInt16(self.port),
419
353
avahi.string_array_to_txt_array(self.TXT))
420
354
self.group.Commit()
421
355
422
356
def entry_group_state_changed(self, state, error):
423
357
"""Derived from the Avahi example code"""
424
358
logger.debug("Avahi entry group state change: %i", state)
425
359
426
360
if state == avahi.ENTRY_GROUP_ESTABLISHED:
427
361
logger.debug("Zeroconf service established.")
428
362
elif state == avahi.ENTRY_GROUP_COLLISION:
432
366
logger.critical("Avahi: Error in group state changed %s",
433
367
str(error))
434
368
raise AvahiGroupError("State changed: {!s}".format(error))
435
369
436
370
def cleanup(self):
437
371
"""Derived from the Avahi example code"""
438
372
if self.group is not None:
443
377
pass
444
378
self.group = None
445
379
self.remove()
446
380
447
381
def server_state_changed(self, state, error=None):
448
382
"""Derived from the Avahi example code"""
449
383
logger.debug("Avahi server state change: %i", state)
478
412
logger.debug("Unknown state: %r", state)
479
413
else:
480
414
logger.debug("Unknown state: %r: %r", state, error)
481
415
482
416
def activate(self):
483
417
"""Derived from the Avahi example code"""
484
418
if self.server is None:
501
435
.format(self.name)))
502
436
return ret
503
437
504
505
# Pretend that we have a GnuTLS module
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
509
510
library = ctypes.util.find_library("gnutls")
511
if library is None:
512
library = ctypes.util.find_library("gnutls-deb0")
513
_library = ctypes.cdll.LoadLibrary(library)
514
del library
515
_need_version = b"3.3.0"
516
517
def __init__(self):
518
# Need to use "self" here, since this method is called before
519
# the assignment to the "gnutls" global variable happens.
520
if self.check_version(self._need_version) is None:
521
raise self.Error("Needs GnuTLS {} or later"
522
.format(self._need_version))
523
524
# Unless otherwise indicated, the constants and types below are
525
# all from the gnutls/gnutls.h C header file.
526
527
# Constants
528
E_SUCCESS = 0
529
E_INTERRUPTED = -52
530
E_AGAIN = -28
531
CRT_OPENPGP = 2
532
CLIENT = 2
533
SHUT_RDWR = 0
534
CRD_CERTIFICATE = 1
535
E_NO_CERTIFICATE_FOUND = -49
536
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
537
538
# Types
539
class session_int(ctypes.Structure):
540
_fields_ = []
541
session_t = ctypes.POINTER(session_int)
542
543
class certificate_credentials_st(ctypes.Structure):
544
_fields_ = []
545
certificate_credentials_t = ctypes.POINTER(
546
certificate_credentials_st)
547
certificate_type_t = ctypes.c_int
548
549
class datum_t(ctypes.Structure):
550
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
551
('size', ctypes.c_uint)]
552
553
class openpgp_crt_int(ctypes.Structure):
554
_fields_ = []
555
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
556
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
557
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
558
credentials_type_t = ctypes.c_int
559
transport_ptr_t = ctypes.c_void_p
560
close_request_t = ctypes.c_int
561
562
# Exceptions
563
class Error(Exception):
564
# We need to use the class name "GnuTLS" here, since this
565
# exception might be raised from within GnuTLS.__init__,
566
# which is called before the assignment to the "gnutls"
567
# global variable has happened.
568
def __init__(self, message=None, code=None, args=()):
569
# Default usage is by a message string, but if a return
570
# code is passed, convert it to a string with
571
# gnutls.strerror()
572
self.code = code
573
if message is None and code is not None:
574
message = GnuTLS.strerror(code)
575
return super(GnuTLS.Error, self).__init__(
576
message, *args)
577
578
class CertificateSecurityError(Error):
579
pass
580
581
# Classes
582
class Credentials(object):
583
def __init__(self):
584
self._c_object = gnutls.certificate_credentials_t()
585
gnutls.certificate_allocate_credentials(
586
ctypes.byref(self._c_object))
587
self.type = gnutls.CRD_CERTIFICATE
588
589
def __del__(self):
590
gnutls.certificate_free_credentials(self._c_object)
591
592
class ClientSession(object):
593
def __init__(self, socket, credentials=None):
594
self._c_object = gnutls.session_t()
595
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
596
gnutls.set_default_priority(self._c_object)
597
gnutls.transport_set_ptr(self._c_object, socket.fileno())
598
gnutls.handshake_set_private_extensions(self._c_object,
599
True)
600
self.socket = socket
601
if credentials is None:
602
credentials = gnutls.Credentials()
603
gnutls.credentials_set(self._c_object, credentials.type,
604
ctypes.cast(credentials._c_object,
605
ctypes.c_void_p))
606
self.credentials = credentials
607
608
def __del__(self):
609
gnutls.deinit(self._c_object)
610
611
def handshake(self):
612
return gnutls.handshake(self._c_object)
613
614
def send(self, data):
615
data = bytes(data)
616
data_len = len(data)
617
while data_len > 0:
618
data_len -= gnutls.record_send(self._c_object,
619
data[-data_len:],
620
data_len)
621
622
def bye(self):
623
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
624
625
# Error handling functions
626
def _error_code(result):
627
"""A function to raise exceptions on errors, suitable
628
for the 'restype' attribute on ctypes functions"""
629
if result >= 0:
630
return result
631
if result == gnutls.E_NO_CERTIFICATE_FOUND:
632
raise gnutls.CertificateSecurityError(code=result)
633
raise gnutls.Error(code=result)
634
635
def _retry_on_error(result, func, arguments):
636
"""A function to retry on some errors, suitable
637
for the 'errcheck' attribute on ctypes functions"""
638
while result < 0:
639
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
640
return _error_code(result)
641
result = func(*arguments)
642
return result
643
644
# Unless otherwise indicated, the function declarations below are
645
# all from the gnutls/gnutls.h C header file.
646
647
# Functions
648
priority_set_direct = _library.gnutls_priority_set_direct
649
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
650
ctypes.POINTER(ctypes.c_char_p)]
651
priority_set_direct.restype = _error_code
652
653
init = _library.gnutls_init
654
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
655
init.restype = _error_code
656
657
set_default_priority = _library.gnutls_set_default_priority
658
set_default_priority.argtypes = [session_t]
659
set_default_priority.restype = _error_code
660
661
record_send = _library.gnutls_record_send
662
record_send.argtypes = [session_t, ctypes.c_void_p,
663
ctypes.c_size_t]
664
record_send.restype = ctypes.c_ssize_t
665
record_send.errcheck = _retry_on_error
666
667
certificate_allocate_credentials = (
668
_library.gnutls_certificate_allocate_credentials)
669
certificate_allocate_credentials.argtypes = [
670
ctypes.POINTER(certificate_credentials_t)]
671
certificate_allocate_credentials.restype = _error_code
672
673
certificate_free_credentials = (
674
_library.gnutls_certificate_free_credentials)
675
certificate_free_credentials.argtypes = [
676
certificate_credentials_t]
677
certificate_free_credentials.restype = None
678
679
handshake_set_private_extensions = (
680
_library.gnutls_handshake_set_private_extensions)
681
handshake_set_private_extensions.argtypes = [session_t,
682
ctypes.c_int]
683
handshake_set_private_extensions.restype = None
684
685
credentials_set = _library.gnutls_credentials_set
686
credentials_set.argtypes = [session_t, credentials_type_t,
687
ctypes.c_void_p]
688
credentials_set.restype = _error_code
689
690
strerror = _library.gnutls_strerror
691
strerror.argtypes = [ctypes.c_int]
692
strerror.restype = ctypes.c_char_p
693
694
certificate_type_get = _library.gnutls_certificate_type_get
695
certificate_type_get.argtypes = [session_t]
696
certificate_type_get.restype = _error_code
697
698
certificate_get_peers = _library.gnutls_certificate_get_peers
699
certificate_get_peers.argtypes = [session_t,
700
ctypes.POINTER(ctypes.c_uint)]
701
certificate_get_peers.restype = ctypes.POINTER(datum_t)
702
703
global_set_log_level = _library.gnutls_global_set_log_level
704
global_set_log_level.argtypes = [ctypes.c_int]
705
global_set_log_level.restype = None
706
707
global_set_log_function = _library.gnutls_global_set_log_function
708
global_set_log_function.argtypes = [log_func]
709
global_set_log_function.restype = None
710
711
deinit = _library.gnutls_deinit
712
deinit.argtypes = [session_t]
713
deinit.restype = None
714
715
handshake = _library.gnutls_handshake
716
handshake.argtypes = [session_t]
717
handshake.restype = _error_code
718
handshake.errcheck = _retry_on_error
719
720
transport_set_ptr = _library.gnutls_transport_set_ptr
721
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
722
transport_set_ptr.restype = None
723
724
bye = _library.gnutls_bye
725
bye.argtypes = [session_t, close_request_t]
726
bye.restype = _error_code
727
bye.errcheck = _retry_on_error
728
729
check_version = _library.gnutls_check_version
730
check_version.argtypes = [ctypes.c_char_p]
731
check_version.restype = ctypes.c_char_p
732
733
# All the function declarations below are from gnutls/openpgp.h
734
735
openpgp_crt_init = _library.gnutls_openpgp_crt_init
736
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
737
openpgp_crt_init.restype = _error_code
738
739
openpgp_crt_import = _library.gnutls_openpgp_crt_import
740
openpgp_crt_import.argtypes = [openpgp_crt_t,
741
ctypes.POINTER(datum_t),
742
openpgp_crt_fmt_t]
743
openpgp_crt_import.restype = _error_code
744
745
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
746
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
747
ctypes.POINTER(ctypes.c_uint)]
748
openpgp_crt_verify_self.restype = _error_code
749
750
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
751
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
752
openpgp_crt_deinit.restype = None
753
754
openpgp_crt_get_fingerprint = (
755
_library.gnutls_openpgp_crt_get_fingerprint)
756
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
757
ctypes.c_void_p,
758
ctypes.POINTER(
759
ctypes.c_size_t)]
760
openpgp_crt_get_fingerprint.restype = _error_code
761
762
# Remove non-public functions
763
del _error_code, _retry_on_error
764
# Create the global "gnutls" object, simulating a module
765
gnutls = GnuTLS()
766
767
768
438
def call_pipe(connection, # : multiprocessing.Connection
769
439
func, *args, **kwargs):
770
440
"""This function is meant to be called by multiprocessing.Process
771
441
772
442
This function runs func(*args, **kwargs), and writes the resulting
773
443
return value on the provided multiprocessing.Connection.
774
444
"""
775
445
connection.send(func(*args, **kwargs))
776
446
connection.close()
777
447
778
779
448
class Client(object):
780
449
"""A representation of a client host served by this server.
781
450
782
451
Attributes:
783
452
approved: bool(); 'None' if not yet approved/disapproved
784
453
approval_delay: datetime.timedelta(); Time to wait for approval
786
455
checker: subprocess.Popen(); a running checker process used
787
456
to see if the client lives.
788
457
'None' if no process is running.
789
checker_callback_tag: a GLib event source tag, or None
458
checker_callback_tag: a gobject event source tag, or None
790
459
checker_command: string; External command which is run to check
791
460
if client lives. %() expansions are done at
792
461
runtime with vars(self) as dict, so that for
793
462
instance %(name)s can be used in the command.
794
checker_initiator_tag: a GLib event source tag, or None
463
checker_initiator_tag: a gobject event source tag, or None
795
464
created: datetime.datetime(); (UTC) object creation
796
465
client_structure: Object describing what attributes a client has
797
466
and is used for storing the client at exit
798
467
current_checker_command: string; current running checker_command
799
disable_initiator_tag: a GLib event source tag, or None
468
disable_initiator_tag: a gobject event source tag, or None
800
469
enabled: bool()
801
470
fingerprint: string (40 or 32 hexadecimal digits); used to
802
471
uniquely identify the client
821
490
disabled, or None
822
491
server_settings: The server_settings dict from main()
823
492
"""
824
493
825
494
runtime_expansions = ("approval_delay", "approval_duration",
826
495
"created", "enabled", "expires",
827
496
"fingerprint", "host", "interval",
838
507
"approved_by_default": "True",
839
508
"enabled": "True",
840
509
}
841
510
842
511
@staticmethod
843
512
def config_parser(config):
844
513
"""Construct a new dict of client settings of this form:
851
520
for client_name in config.sections():
852
521
section = dict(config.items(client_name))
853
522
client = settings[client_name] = {}
854
523
855
524
client["host"] = section["host"]
856
525
# Reformat values from string types to Python types
857
526
client["approved_by_default"] = config.getboolean(
858
527
client_name, "approved_by_default")
859
528
client["enabled"] = config.getboolean(client_name,
860
529
"enabled")
861
530
862
531
# Uppercase and remove spaces from fingerprint for later
863
532
# comparison purposes with return value from the
864
533
# fingerprint() function
865
534
client["fingerprint"] = (section["fingerprint"].upper()
866
535
.replace(" ", ""))
867
536
if "secret" in section:
868
client["secret"] = codecs.decode(section["secret"]
869
.encode("utf-8"),
870
"base64")
537
client["secret"] = section["secret"].decode("base64")
871
538
elif "secfile" in section:
872
539
with open(os.path.expanduser(os.path.expandvars
873
540
(section["secfile"])),
888
555
client["last_approval_request"] = None
889
556
client["last_checked_ok"] = None
890
557
client["last_checker_status"] = -2
891
558
892
559
return settings
893
894
def __init__(self, settings, name=None, server_settings=None):
560
561
def __init__(self, settings, name = None, server_settings=None):
895
562
self.name = name
896
563
if server_settings is None:
897
564
server_settings = {}
899
566
# adding all client settings
900
567
for setting, value in settings.items():
901
568
setattr(self, setting, value)
902
569
903
570
if self.enabled:
904
571
if not hasattr(self, "last_enabled"):
905
572
self.last_enabled = datetime.datetime.utcnow()
909
576
else:
910
577
self.last_enabled = None
911
578
self.expires = None
912
579
913
580
logger.debug("Creating client %r", self.name)
914
581
logger.debug(" Fingerprint: %s", self.fingerprint)
915
582
self.created = settings.get("created",
916
583
datetime.datetime.utcnow())
917
584
918
585
# attributes specific for this server instance
919
586
self.checker = None
920
587
self.checker_initiator_tag = None
926
593
self.changedstate = multiprocessing_manager.Condition(
927
594
multiprocessing_manager.Lock())
928
595
self.client_structure = [attr
929
for attr in self.__dict__.keys()
596
for attr in self.__dict__.iterkeys()
930
597
if not attr.startswith("_")]
931
598
self.client_structure.append("client_structure")
932
599
933
600
for name, t in inspect.getmembers(
934
601
type(self), lambda obj: isinstance(obj, property)):
935
602
if not name.startswith("_"):
936
603
self.client_structure.append(name)
937
604
938
605
# Send notice to process children that client state has changed
939
606
def send_changedstate(self):
940
607
with self.changedstate:
941
608
self.changedstate.notify_all()
942
609
943
610
def enable(self):
944
611
"""Start this client's checker and timeout hooks"""
945
612
if getattr(self, "enabled", False):
950
617
self.last_enabled = datetime.datetime.utcnow()
951
618
self.init_checker()
952
619
self.send_changedstate()
953
620
954
621
def disable(self, quiet=True):
955
622
"""Disable this client."""
956
623
if not getattr(self, "enabled", False):
958
625
if not quiet:
959
626
logger.info("Disabling client %s", self.name)
960
627
if getattr(self, "disable_initiator_tag", None) is not None:
961
GLib.source_remove(self.disable_initiator_tag)
628
gobject.source_remove(self.disable_initiator_tag)
962
629
self.disable_initiator_tag = None
963
630
self.expires = None
964
631
if getattr(self, "checker_initiator_tag", None) is not None:
965
GLib.source_remove(self.checker_initiator_tag)
632
gobject.source_remove(self.checker_initiator_tag)
966
633
self.checker_initiator_tag = None
967
634
self.stop_checker()
968
635
self.enabled = False
969
636
if not quiet:
970
637
self.send_changedstate()
971
# Do not run this again if called by a GLib.timeout_add
638
# Do not run this again if called by a gobject.timeout_add
972
639
return False
973
640
974
641
def __del__(self):
975
642
self.disable()
976
643
977
644
def init_checker(self):
978
645
# Schedule a new checker to be started an 'interval' from now,
979
646
# and every interval from then on.
980
647
if self.checker_initiator_tag is not None:
981
GLib.source_remove(self.checker_initiator_tag)
982
self.checker_initiator_tag = GLib.timeout_add(
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
983
650
int(self.interval.total_seconds() * 1000),
984
651
self.start_checker)
985
652
# Schedule a disable() when 'timeout' has passed
986
653
if self.disable_initiator_tag is not None:
987
GLib.source_remove(self.disable_initiator_tag)
988
self.disable_initiator_tag = GLib.timeout_add(
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
989
656
int(self.timeout.total_seconds() * 1000), self.disable)
990
657
# Also start a new checker *right now*.
991
658
self.start_checker()
992
659
993
660
def checker_callback(self, source, condition, connection,
994
661
command):
995
662
"""The checker has completed, so take appropriate actions."""
998
665
# Read return code from connection (see call_pipe)
999
666
returncode = connection.recv()
1000
667
connection.close()
1001
668
1002
669
if returncode >= 0:
1003
670
self.last_checker_status = returncode
1004
671
self.last_checker_signal = None
1014
681
logger.warning("Checker for %(name)s crashed?",
1015
682
vars(self))
1016
683
return False
1017
684
1018
685
def checked_ok(self):
1019
686
"""Assert that the client has been seen, alive and well."""
1020
687
self.last_checked_ok = datetime.datetime.utcnow()
1021
688
self.last_checker_status = 0
1022
689
self.last_checker_signal = None
1023
690
self.bump_timeout()
1024
691
1025
692
def bump_timeout(self, timeout=None):
1026
693
"""Bump up the timeout for this client."""
1027
694
if timeout is None:
1028
695
timeout = self.timeout
1029
696
if self.disable_initiator_tag is not None:
1030
GLib.source_remove(self.disable_initiator_tag)
697
gobject.source_remove(self.disable_initiator_tag)
1031
698
self.disable_initiator_tag = None
1032
699
if getattr(self, "enabled", False):
1033
self.disable_initiator_tag = GLib.timeout_add(
700
self.disable_initiator_tag = gobject.timeout_add(
1034
701
int(timeout.total_seconds() * 1000), self.disable)
1035
702
self.expires = datetime.datetime.utcnow() + timeout
1036
703
1037
704
def need_approval(self):
1038
705
self.last_approval_request = datetime.datetime.utcnow()
1039
706
1040
707
def start_checker(self):
1041
708
"""Start a new checker subprocess if one is not running.
1042
709
1043
710
If a checker already exists, leave it running and do
1044
711
nothing."""
1045
712
# The reason for not killing a running checker is that if we
1050
717
# checkers alone, the checker would have to take more time
1051
718
# than 'timeout' for the client to be disabled, which is as it
1052
719
# should be.
1053
720
1054
721
if self.checker is not None and not self.checker.is_alive():
1055
722
logger.warning("Checker was not alive; joining")
1056
723
self.checker.join()
1060
727
# Escape attributes for the shell
1061
728
escaped_attrs = {
1062
729
attr: re.escape(str(getattr(self, attr)))
1063
for attr in self.runtime_expansions}
730
for attr in self.runtime_expansions }
1064
731
try:
1065
732
command = self.checker_command % escaped_attrs
1066
733
except TypeError as error:
1078
745
# The exception is when not debugging but nevertheless
1079
746
# running in the foreground; use the previously
1080
747
# created wnull.
1081
popen_args = {"close_fds": True,
1082
"shell": True,
1083
"cwd": "/"}
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1084
751
if (not self.server_settings["debug"]
1085
752
and self.server_settings["foreground"]):
1086
753
popen_args.update({"stdout": wnull,
1087
"stderr": wnull})
1088
pipe = multiprocessing.Pipe(duplex=False)
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1089
756
self.checker = multiprocessing.Process(
1090
target=call_pipe,
1091
args=(pipe[1], subprocess.call, command),
1092
kwargs=popen_args)
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1093
760
self.checker.start()
1094
self.checker_callback_tag = GLib.io_add_watch(
1095
pipe[0].fileno(), GLib.IO_IN,
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1096
763
self.checker_callback, pipe[0], command)
1097
# Re-run this periodically if run by GLib.timeout_add
764
# Re-run this periodically if run by gobject.timeout_add
1098
765
return True
1099
766
1100
767
def stop_checker(self):
1101
768
"""Force the checker process, if any, to stop."""
1102
769
if self.checker_callback_tag:
1103
GLib.source_remove(self.checker_callback_tag)
770
gobject.source_remove(self.checker_callback_tag)
1104
771
self.checker_callback_tag = None
1105
772
if getattr(self, "checker", None) is None:
1106
773
return
1115
782
byte_arrays=False):
1116
783
"""Decorators for marking methods of a DBusObjectWithProperties to
1117
784
become properties on the D-Bus.
1118
785
1119
786
The decorated method will be called with no arguments by "Get"
1120
787
and with one argument by "Set".
1121
788
1122
789
The parameters, where they are supported, are the same as
1123
790
dbus.service.method, except there is only "signature", since the
1124
791
type from Get() and the type sent to Set() is the same.
1128
795
if byte_arrays and signature != "ay":
1129
796
raise ValueError("Byte arrays not supported for non-'ay'"
1130
797
" signature {!r}".format(signature))
1131
798
1132
799
def decorator(func):
1133
800
func._dbus_is_property = True
1134
801
func._dbus_interface = dbus_interface
1137
804
func._dbus_name = func.__name__
1138
805
if func._dbus_name.endswith("_dbus_property"):
1139
806
func._dbus_name = func._dbus_name[:-14]
1140
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1141
808
return func
1142
809
1143
810
return decorator
1144
811
1145
812
1146
813
def dbus_interface_annotations(dbus_interface):
1147
814
"""Decorator for marking functions returning interface annotations
1148
815
1149
816
Usage:
1150
817
1151
818
@dbus_interface_annotations("org.example.Interface")
1152
819
def _foo(self): # Function name does not matter
1153
820
return {"org.freedesktop.DBus.Deprecated": "true",
1154
821
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1155
822
"false"}
1156
823
"""
1157
824
1158
825
def decorator(func):
1159
826
func._dbus_is_interface = True
1160
827
func._dbus_interface = dbus_interface
1161
828
func._dbus_name = dbus_interface
1162
829
return func
1163
830
1164
831
return decorator
1165
832
1166
833
1167
834
def dbus_annotations(annotations):
1168
835
"""Decorator to annotate D-Bus methods, signals or properties
1169
836
Usage:
1170
837
1171
838
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1172
839
"org.freedesktop.DBus.Property."
1173
840
"EmitsChangedSignal": "false"})
1175
842
access="r")
1176
843
def Property_dbus_property(self):
1177
844
return dbus.Boolean(False)
1178
845
1179
846
See also the DBusObjectWithAnnotations class.
1180
847
"""
1181
848
1182
849
def decorator(func):
1183
850
func._dbus_annotations = annotations
1184
851
return func
1185
852
1186
853
return decorator
1187
854
1188
855
1206
873
1207
874
class DBusObjectWithAnnotations(dbus.service.Object):
1208
875
"""A D-Bus object with annotations.
1209
876
1210
877
Classes inheriting from this can use the dbus_annotations
1211
878
decorator to add annotations to methods or signals.
1212
879
"""
1213
880
1214
881
@staticmethod
1215
882
def _is_dbus_thing(thing):
1216
883
"""Returns a function testing if an attribute is a D-Bus thing
1217
884
1218
885
If called like _is_dbus_thing("method") it returns a function
1219
886
suitable for use as predicate to inspect.getmembers().
1220
887
"""
1221
888
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1222
889
False)
1223
890
1224
891
def _get_all_dbus_things(self, thing):
1225
892
"""Returns a generator of (name, attribute) pairs
1226
893
"""
1229
896
for cls in self.__class__.__mro__
1230
897
for name, athing in
1231
898
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1232
899
1233
900
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1234
out_signature="s",
1235
path_keyword='object_path',
1236
connection_keyword='connection')
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1237
904
def Introspect(self, object_path, connection):
1238
905
"""Overloading of standard D-Bus method.
1239
906
1240
907
Inserts annotation tags on methods and signals.
1241
908
"""
1242
909
xmlstring = dbus.service.Object.Introspect(self, object_path,
1243
910
connection)
1244
911
try:
1245
912
document = xml.dom.minidom.parseString(xmlstring)
1246
913
1247
914
for if_tag in document.getElementsByTagName("interface"):
1248
915
# Add annotation tags
1249
916
for typ in ("method", "signal"):
1276
943
if_tag.appendChild(ann_tag)
1277
944
# Fix argument name for the Introspect method itself
1278
945
if (if_tag.getAttribute("name")
1279
== dbus.INTROSPECTABLE_IFACE):
946
== dbus.INTROSPECTABLE_IFACE):
1280
947
for cn in if_tag.getElementsByTagName("method"):
1281
948
if cn.getAttribute("name") == "Introspect":
1282
949
for arg in cn.getElementsByTagName("arg"):
1295
962
1296
963
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1297
964
"""A D-Bus object with properties.
1298
965
1299
966
Classes inheriting from this can use the dbus_service_property
1300
967
decorator to expose methods as D-Bus properties. It exposes the
1301
968
standard Get(), Set(), and GetAll() methods on the D-Bus.
1302
969
"""
1303
970
1304
971
def _get_dbus_property(self, interface_name, property_name):
1305
972
"""Returns a bound method if one exists which is a D-Bus
1306
973
property with the specified name and interface.
1311
978
if (value._dbus_name == property_name
1312
979
and value._dbus_interface == interface_name):
1313
980
return value.__get__(self)
1314
981
1315
982
# No such property
1316
983
raise DBusPropertyNotFound("{}:{}.{}".format(
1317
984
self.dbus_object_path, interface_name, property_name))
1318
985
1319
986
@classmethod
1320
987
def _get_all_interface_names(cls):
1321
988
"""Get a sequence of all interfaces supported by an object"""
1324
991
for x in (inspect.getmro(cls))
1325
992
for attr in dir(x))
1326
993
if name is not None)
1327
994
1328
995
@dbus.service.method(dbus.PROPERTIES_IFACE,
1329
996
in_signature="ss",
1330
997
out_signature="v")
1338
1005
if not hasattr(value, "variant_level"):
1339
1006
return value
1340
1007
return type(value)(value, variant_level=value.variant_level+1)
1341
1008
1342
1009
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1343
1010
def Set(self, interface_name, property_name, value):
1344
1011
"""Standard D-Bus property Set() method, see D-Bus standard.
1356
1023
value = dbus.ByteArray(b''.join(chr(byte)
1357
1024
for byte in value))
1358
1025
prop(value)
1359
1026
1360
1027
@dbus.service.method(dbus.PROPERTIES_IFACE,
1361
1028
in_signature="s",
1362
1029
out_signature="a{sv}")
1363
1030
def GetAll(self, interface_name):
1364
1031
"""Standard D-Bus property GetAll() method, see D-Bus
1365
1032
standard.
1366
1033
1367
1034
Note: Will not include properties with access="write".
1368
1035
"""
1369
1036
properties = {}
1380
1047
properties[name] = value
1381
1048
continue
1382
1049
properties[name] = type(value)(
1383
value, variant_level=value.variant_level + 1)
1050
value, variant_level = value.variant_level + 1)
1384
1051
return dbus.Dictionary(properties, signature="sv")
1385
1052
1386
1053
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1387
1054
def PropertiesChanged(self, interface_name, changed_properties,
1388
1055
invalidated_properties):
1390
1057
standard.
1391
1058
"""
1392
1059
pass
1393
1060
1394
1061
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1395
1062
out_signature="s",
1396
1063
path_keyword='object_path',
1397
1064
connection_keyword='connection')
1398
1065
def Introspect(self, object_path, connection):
1399
1066
"""Overloading of standard D-Bus method.
1400
1067
1401
1068
Inserts property tags and interface annotation tags.
1402
1069
"""
1403
1070
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1405
1072
connection)
1406
1073
try:
1407
1074
document = xml.dom.minidom.parseString(xmlstring)
1408
1075
1409
1076
def make_tag(document, name, prop):
1410
1077
e = document.createElement("property")
1411
1078
e.setAttribute("name", name)
1412
1079
e.setAttribute("type", prop._dbus_signature)
1413
1080
e.setAttribute("access", prop._dbus_access)
1414
1081
return e
1415
1082
1416
1083
for if_tag in document.getElementsByTagName("interface"):
1417
1084
# Add property tags
1418
1085
for tag in (make_tag(document, name, prop)
1465
1132
except AttributeError:
1466
1133
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1467
1134
1468
1469
1135
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1470
1136
"""A D-Bus object with an ObjectManager.
1471
1137
1472
1138
Classes inheriting from this exposes the standard
1473
1139
GetManagedObjects call and the InterfacesAdded and
1474
1140
InterfacesRemoved signals on the standard
1475
1141
"org.freedesktop.DBus.ObjectManager" interface.
1476
1142
1477
1143
Note: No signals are sent automatically; they must be sent
1478
1144
manually.
1479
1145
"""
1480
1146
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1481
out_signature="a{oa{sa{sv}}}")
1147
out_signature = "a{oa{sa{sv}}}")
1482
1148
def GetManagedObjects(self):
1483
1149
"""This function must be overridden"""
1484
1150
raise NotImplementedError()
1485
1151
1486
1152
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1487
signature="oa{sa{sv}}")
1153
signature = "oa{sa{sv}}")
1488
1154
def InterfacesAdded(self, object_path, interfaces_and_properties):
1489
1155
pass
1490
1491
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1492
1158
def InterfacesRemoved(self, object_path, interfaces):
1493
1159
pass
1494
1160
1495
1161
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1496
out_signature="s",
1497
path_keyword='object_path',
1498
connection_keyword='connection')
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1499
1165
def Introspect(self, object_path, connection):
1500
1166
"""Overloading of standard D-Bus method.
1501
1167
1502
1168
Override return argument name of GetManagedObjects to be
1503
1169
"objpath_interfaces_and_properties"
1504
1170
"""
1507
1173
connection)
1508
1174
try:
1509
1175
document = xml.dom.minidom.parseString(xmlstring)
1510
1176
1511
1177
for if_tag in document.getElementsByTagName("interface"):
1512
1178
# Fix argument name for the GetManagedObjects method
1513
1179
if (if_tag.getAttribute("name")
1514
== dbus.OBJECT_MANAGER_IFACE):
1180
== dbus.OBJECT_MANAGER_IFACE):
1515
1181
for cn in if_tag.getElementsByTagName("method"):
1516
1182
if (cn.getAttribute("name")
1517
1183
== "GetManagedObjects"):
1527
1193
except (AttributeError, xml.dom.DOMException,
1528
1194
xml.parsers.expat.ExpatError) as error:
1529
1195
logger.error("Failed to override Introspection method",
1530
exc_info=error)
1196
exc_info = error)
1531
1197
return xmlstring
1532
1198
1533
1534
1199
def datetime_to_dbus(dt, variant_level=0):
1535
1200
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1536
1201
if dt is None:
1537
return dbus.String("", variant_level=variant_level)
1202
return dbus.String("", variant_level = variant_level)
1538
1203
return dbus.String(dt.isoformat(), variant_level=variant_level)
1539
1204
1540
1205
1543
1208
dbus.service.Object, it will add alternate D-Bus attributes with
1544
1209
interface names according to the "alt_interface_names" mapping.
1545
1210
Usage:
1546
1211
1547
1212
@alternate_dbus_interfaces({"org.example.Interface":
1548
1213
"net.example.AlternateInterface"})
1549
1214
class SampleDBusObject(dbus.service.Object):
1550
1215
@dbus.service.method("org.example.Interface")
1551
1216
def SampleDBusMethod():
1552
1217
pass
1553
1218
1554
1219
The above "SampleDBusMethod" on "SampleDBusObject" will be
1555
1220
reachable via two interfaces: "org.example.Interface" and
1556
1221
"net.example.AlternateInterface", the latter of which will have
1557
1222
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1558
1223
"true", unless "deprecate" is passed with a False value.
1559
1224
1560
1225
This works for methods and signals, and also for D-Bus properties
1561
1226
(from DBusObjectWithProperties) and interfaces (from the
1562
1227
dbus_interface_annotations decorator).
1563
1228
"""
1564
1229
1565
1230
def wrapper(cls):
1566
1231
for orig_interface_name, alt_interface_name in (
1567
1232
alt_interface_names.items()):
1582
1247
interface_names.add(alt_interface)
1583
1248
# Is this a D-Bus signal?
1584
1249
if getattr(attribute, "_dbus_is_signal", False):
1585
# Extract the original non-method undecorated
1586
# function by black magic
1587
1250
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1588
1253
nonmethod_func = (dict(
1589
1254
zip(attribute.func_code.co_freevars,
1590
1255
attribute.__closure__))
1591
1256
["func"].cell_contents)
1592
1257
else:
1593
nonmethod_func = (dict(
1594
zip(attribute.__code__.co_freevars,
1595
attribute.__closure__))
1596
["func"].cell_contents)
1258
nonmethod_func = attribute
1597
1259
# Create a new, but exactly alike, function
1598
1260
# object, and decorate it to be a new D-Bus signal
1599
1261
# with the alternate D-Bus interface name
1600
new_function = copy_function(nonmethod_func)
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1601
1276
new_function = (dbus.service.signal(
1602
1277
alt_interface,
1603
1278
attribute._dbus_signature)(new_function))
1607
1282
attribute._dbus_annotations)
1608
1283
except AttributeError:
1609
1284
pass
1610
1611
1285
# Define a creator of a function to call both the
1612
1286
# original and alternate functions, so both the
1613
1287
# original and alternate signals gets sent when
1616
1290
"""This function is a scope container to pass
1617
1291
func1 and func2 to the "call_both" function
1618
1292
outside of its arguments"""
1619
1293
1620
1294
@functools.wraps(func2)
1621
1295
def call_both(*args, **kwargs):
1622
1296
"""This function will emit two D-Bus
1623
1297
signals by calling func1 and func2"""
1624
1298
func1(*args, **kwargs)
1625
1299
func2(*args, **kwargs)
1626
# Make wrapper function look like a D-Bus
1627
# signal
1300
# Make wrapper function look like a D-Bus signal
1628
1301
for name, attr in inspect.getmembers(func2):
1629
1302
if name.startswith("_dbus_"):
1630
1303
setattr(call_both, name, attr)
1631
1304
1632
1305
return call_both
1633
1306
# Create the "call_both" function and add it to
1634
1307
# the class
1644
1317
alt_interface,
1645
1318
attribute._dbus_in_signature,
1646
1319
attribute._dbus_out_signature)
1647
(copy_function(attribute)))
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1648
1325
# Copy annotations, if any
1649
1326
try:
1650
1327
attr[attrname]._dbus_annotations = dict(
1662
1339
attribute._dbus_access,
1663
1340
attribute._dbus_get_args_options
1664
1341
["byte_arrays"])
1665
(copy_function(attribute)))
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1666
1348
# Copy annotations, if any
1667
1349
try:
1668
1350
attr[attrname]._dbus_annotations = dict(
1677
1359
# to the class.
1678
1360
attr[attrname] = (
1679
1361
dbus_interface_annotations(alt_interface)
1680
(copy_function(attribute)))
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1681
1367
if deprecate:
1682
1368
# Deprecate all alternate interfaces
1683
iname = "_AlternateDBusNames_interface_annotation{}"
1369
iname="_AlternateDBusNames_interface_annotation{}"
1684
1370
for interface_name in interface_names:
1685
1371
1686
1372
@dbus_interface_annotations(interface_name)
1687
1373
def func(self):
1688
return {"org.freedesktop.DBus.Deprecated":
1689
"true"}
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1690
1376
# Find an unused name
1691
1377
for aname in (iname.format(i)
1692
1378
for i in itertools.count()):
1696
1382
if interface_names:
1697
1383
# Replace the class with a new subclass of it with
1698
1384
# methods, signals, etc. as created above.
1699
if sys.version_info.major == 2:
1700
cls = type(b"{}Alternate".format(cls.__name__),
1701
(cls, ), attr)
1702
else:
1703
cls = type("{}Alternate".format(cls.__name__),
1704
(cls, ), attr)
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1705
1387
return cls
1706
1388
1707
1389
return wrapper
1708
1390
1709
1391
1711
1393
"se.bsnet.fukt.Mandos"})
1712
1394
class ClientDBus(Client, DBusObjectWithProperties):
1713
1395
"""A Client class using D-Bus
1714
1396
1715
1397
Attributes:
1716
1398
dbus_object_path: dbus.ObjectPath
1717
1399
bus: dbus.SystemBus()
1718
1400
"""
1719
1401
1720
1402
runtime_expansions = (Client.runtime_expansions
1721
1403
+ ("dbus_object_path", ))
1722
1404
1723
1405
_interface = "se.recompile.Mandos.Client"
1724
1406
1725
1407
# dbus.service.Object doesn't use super(), so we can't either.
1726
1727
def __init__(self, bus=None, *args, **kwargs):
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1728
1410
self.bus = bus
1729
1411
Client.__init__(self, *args, **kwargs)
1730
1412
# Only now, when this client is initialized, can it show up on
1736
1418
"/clients/" + client_object_name)
1737
1419
DBusObjectWithProperties.__init__(self, self.bus,
1738
1420
self.dbus_object_path)
1739
1421
1740
1422
def notifychangeproperty(transform_func, dbus_name,
1741
1423
type_func=lambda x: x,
1742
1424
variant_level=1,
1744
1426
_interface=_interface):
1745
1427
""" Modify a variable so that it's a property which announces
1746
1428
its changes to DBus.
1747
1429
1748
1430
transform_fun: Function that takes a value and a variant_level
1749
1431
and transforms it to a D-Bus type.
1750
1432
dbus_name: D-Bus name of the variable
1753
1435
variant_level: D-Bus variant level. Default: 1
1754
1436
"""
1755
1437
attrname = "_{}".format(dbus_name)
1756
1438
1757
1439
def setter(self, value):
1758
1440
if hasattr(self, "dbus_object_path"):
1759
1441
if (not hasattr(self, attrname) or
1766
1448
else:
1767
1449
dbus_value = transform_func(
1768
1450
type_func(value),
1769
variant_level=variant_level)
1451
variant_level = variant_level)
1770
1452
self.PropertyChanged(dbus.String(dbus_name),
1771
1453
dbus_value)
1772
1454
self.PropertiesChanged(
1773
1455
_interface,
1774
dbus.Dictionary({dbus.String(dbus_name):
1775
dbus_value}),
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1776
1458
dbus.Array())
1777
1459
setattr(self, attrname, value)
1778
1460
1779
1461
return property(lambda self: getattr(self, attrname), setter)
1780
1462
1781
1463
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1782
1464
approvals_pending = notifychangeproperty(dbus.Boolean,
1783
1465
"ApprovalPending",
1784
type_func=bool)
1466
type_func = bool)
1785
1467
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1786
1468
last_enabled = notifychangeproperty(datetime_to_dbus,
1787
1469
"LastEnabled")
1788
1470
checker = notifychangeproperty(
1789
1471
dbus.Boolean, "CheckerRunning",
1790
type_func=lambda checker: checker is not None)
1472
type_func = lambda checker: checker is not None)
1791
1473
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1792
1474
"LastCheckedOK")
1793
1475
last_checker_status = notifychangeproperty(dbus.Int16,
1798
1480
"ApprovedByDefault")
1799
1481
approval_delay = notifychangeproperty(
1800
1482
dbus.UInt64, "ApprovalDelay",
1801
type_func=lambda td: td.total_seconds() * 1000)
1483
type_func = lambda td: td.total_seconds() * 1000)
1802
1484
approval_duration = notifychangeproperty(
1803
1485
dbus.UInt64, "ApprovalDuration",
1804
type_func=lambda td: td.total_seconds() * 1000)
1486
type_func = lambda td: td.total_seconds() * 1000)
1805
1487
host = notifychangeproperty(dbus.String, "Host")
1806
1488
timeout = notifychangeproperty(
1807
1489
dbus.UInt64, "Timeout",
1808
type_func=lambda td: td.total_seconds() * 1000)
1490
type_func = lambda td: td.total_seconds() * 1000)
1809
1491
extended_timeout = notifychangeproperty(
1810
1492
dbus.UInt64, "ExtendedTimeout",
1811
type_func=lambda td: td.total_seconds() * 1000)
1493
type_func = lambda td: td.total_seconds() * 1000)
1812
1494
interval = notifychangeproperty(
1813
1495
dbus.UInt64, "Interval",
1814
type_func=lambda td: td.total_seconds() * 1000)
1496
type_func = lambda td: td.total_seconds() * 1000)
1815
1497
checker_command = notifychangeproperty(dbus.String, "Checker")
1816
1498
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1817
1499
invalidate_only=True)
1818
1500
1819
1501
del notifychangeproperty
1820
1502
1821
1503
def __del__(self, *args, **kwargs):
1822
1504
try:
1823
1505
self.remove_from_connection()
1826
1508
if hasattr(DBusObjectWithProperties, "__del__"):
1827
1509
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1828
1510
Client.__del__(self, *args, **kwargs)
1829
1511
1830
1512
def checker_callback(self, source, condition,
1831
1513
connection, command, *args, **kwargs):
1832
1514
ret = Client.checker_callback(self, source, condition,
1848
1530
| self.last_checker_signal),
1849
1531
dbus.String(command))
1850
1532
return ret
1851
1533
1852
1534
def start_checker(self, *args, **kwargs):
1853
1535
old_checker_pid = getattr(self.checker, "pid", None)
1854
1536
r = Client.start_checker(self, *args, **kwargs)
1858
1540
# Emit D-Bus signal
1859
1541
self.CheckerStarted(self.current_checker_command)
1860
1542
return r
1861
1543
1862
1544
def _reset_approved(self):
1863
1545
self.approved = None
1864
1546
return False
1865
1547
1866
1548
def approve(self, value=True):
1867
1549
self.approved = value
1868
GLib.timeout_add(int(self.approval_duration.total_seconds()
1869
* 1000), self._reset_approved)
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1870
1552
self.send_changedstate()
1871
1872
# D-Bus methods, signals & properties
1873
1874
# Interfaces
1875
1876
# Signals
1877
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1878
1560
# CheckerCompleted - signal
1879
1561
@dbus.service.signal(_interface, signature="nxs")
1880
1562
def CheckerCompleted(self, exitcode, waitstatus, command):
1881
1563
"D-Bus signal"
1882
1564
pass
1883
1565
1884
1566
# CheckerStarted - signal
1885
1567
@dbus.service.signal(_interface, signature="s")
1886
1568
def CheckerStarted(self, command):
1887
1569
"D-Bus signal"
1888
1570
pass
1889
1571
1890
1572
# PropertyChanged - signal
1891
1573
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1892
1574
@dbus.service.signal(_interface, signature="sv")
1893
1575
def PropertyChanged(self, property, value):
1894
1576
"D-Bus signal"
1895
1577
pass
1896
1578
1897
1579
# GotSecret - signal
1898
1580
@dbus.service.signal(_interface)
1899
1581
def GotSecret(self):
1902
1584
server to mandos-client
1903
1585
"""
1904
1586
pass
1905
1587
1906
1588
# Rejected - signal
1907
1589
@dbus.service.signal(_interface, signature="s")
1908
1590
def Rejected(self, reason):
1909
1591
"D-Bus signal"
1910
1592
pass
1911
1593
1912
1594
# NeedApproval - signal
1913
1595
@dbus.service.signal(_interface, signature="tb")
1914
1596
def NeedApproval(self, timeout, default):
1915
1597
"D-Bus signal"
1916
1598
return self.need_approval()
1917
1918
# Methods
1919
1599
1600
## Methods
1601
1920
1602
# Approve - method
1921
1603
@dbus.service.method(_interface, in_signature="b")
1922
1604
def Approve(self, value):
1923
1605
self.approve(value)
1924
1606
1925
1607
# CheckedOK - method
1926
1608
@dbus.service.method(_interface)
1927
1609
def CheckedOK(self):
1928
1610
self.checked_ok()
1929
1611
1930
1612
# Enable - method
1931
1613
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1932
1614
@dbus.service.method(_interface)
1933
1615
def Enable(self):
1934
1616
"D-Bus method"
1935
1617
self.enable()
1936
1618
1937
1619
# StartChecker - method
1938
1620
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1939
1621
@dbus.service.method(_interface)
1940
1622
def StartChecker(self):
1941
1623
"D-Bus method"
1942
1624
self.start_checker()
1943
1625
1944
1626
# Disable - method
1945
1627
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1946
1628
@dbus.service.method(_interface)
1947
1629
def Disable(self):
1948
1630
"D-Bus method"
1949
1631
self.disable()
1950
1632
1951
1633
# StopChecker - method
1952
1634
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1953
1635
@dbus.service.method(_interface)
1954
1636
def StopChecker(self):
1955
1637
self.stop_checker()
1956
1957
# Properties
1958
1638
1639
## Properties
1640
1959
1641
# ApprovalPending - property
1960
1642
@dbus_service_property(_interface, signature="b", access="read")
1961
1643
def ApprovalPending_dbus_property(self):
1962
1644
return dbus.Boolean(bool(self.approvals_pending))
1963
1645
1964
1646
# ApprovedByDefault - property
1965
1647
@dbus_service_property(_interface,
1966
1648
signature="b",
1969
1651
if value is None: # get
1970
1652
return dbus.Boolean(self.approved_by_default)
1971
1653
self.approved_by_default = bool(value)
1972
1654
1973
1655
# ApprovalDelay - property
1974
1656
@dbus_service_property(_interface,
1975
1657
signature="t",
1979
1661
return dbus.UInt64(self.approval_delay.total_seconds()
1980
1662
* 1000)
1981
1663
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1982
1664
1983
1665
# ApprovalDuration - property
1984
1666
@dbus_service_property(_interface,
1985
1667
signature="t",
1989
1671
return dbus.UInt64(self.approval_duration.total_seconds()
1990
1672
* 1000)
1991
1673
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1992
1674
1993
1675
# Name - property
1994
1676
@dbus_annotations(
1995
1677
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1996
1678
@dbus_service_property(_interface, signature="s", access="read")
1997
1679
def Name_dbus_property(self):
1998
1680
return dbus.String(self.name)
1999
1681
2000
1682
# Fingerprint - property
2001
1683
@dbus_annotations(
2002
1684
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2003
1685
@dbus_service_property(_interface, signature="s", access="read")
2004
1686
def Fingerprint_dbus_property(self):
2005
1687
return dbus.String(self.fingerprint)
2006
1688
2007
1689
# Host - property
2008
1690
@dbus_service_property(_interface,
2009
1691
signature="s",
2012
1694
if value is None: # get
2013
1695
return dbus.String(self.host)
2014
1696
self.host = str(value)
2015
1697
2016
1698
# Created - property
2017
1699
@dbus_annotations(
2018
1700
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2019
1701
@dbus_service_property(_interface, signature="s", access="read")
2020
1702
def Created_dbus_property(self):
2021
1703
return datetime_to_dbus(self.created)
2022
1704
2023
1705
# LastEnabled - property
2024
1706
@dbus_service_property(_interface, signature="s", access="read")
2025
1707
def LastEnabled_dbus_property(self):
2026
1708
return datetime_to_dbus(self.last_enabled)
2027
1709
2028
1710
# Enabled - property
2029
1711
@dbus_service_property(_interface,
2030
1712
signature="b",
2036
1718
self.enable()
2037
1719
else:
2038
1720
self.disable()
2039
1721
2040
1722
# LastCheckedOK - property
2041
1723
@dbus_service_property(_interface,
2042
1724
signature="s",
2046
1728
self.checked_ok()
2047
1729
return
2048
1730
return datetime_to_dbus(self.last_checked_ok)
2049
1731
2050
1732
# LastCheckerStatus - property
2051
1733
@dbus_service_property(_interface, signature="n", access="read")
2052
1734
def LastCheckerStatus_dbus_property(self):
2053
1735
return dbus.Int16(self.last_checker_status)
2054
1736
2055
1737
# Expires - property
2056
1738
@dbus_service_property(_interface, signature="s", access="read")
2057
1739
def Expires_dbus_property(self):
2058
1740
return datetime_to_dbus(self.expires)
2059
1741
2060
1742
# LastApprovalRequest - property
2061
1743
@dbus_service_property(_interface, signature="s", access="read")
2062
1744
def LastApprovalRequest_dbus_property(self):
2063
1745
return datetime_to_dbus(self.last_approval_request)
2064
1746
2065
1747
# Timeout - property
2066
1748
@dbus_service_property(_interface,
2067
1749
signature="t",
2082
1764
if (getattr(self, "disable_initiator_tag", None)
2083
1765
is None):
2084
1766
return
2085
GLib.source_remove(self.disable_initiator_tag)
2086
self.disable_initiator_tag = GLib.timeout_add(
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2087
1769
int((self.expires - now).total_seconds() * 1000),
2088
1770
self.disable)
2089
1771
2090
1772
# ExtendedTimeout - property
2091
1773
@dbus_service_property(_interface,
2092
1774
signature="t",
2096
1778
return dbus.UInt64(self.extended_timeout.total_seconds()
2097
1779
* 1000)
2098
1780
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2099
1781
2100
1782
# Interval - property
2101
1783
@dbus_service_property(_interface,
2102
1784
signature="t",
2109
1791
return
2110
1792
if self.enabled:
2111
1793
# Reschedule checker run
2112
GLib.source_remove(self.checker_initiator_tag)
2113
self.checker_initiator_tag = GLib.timeout_add(
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2114
1796
value, self.start_checker)
2115
self.start_checker() # Start one now, too
2116
1797
self.start_checker() # Start one now, too
1798
2117
1799
# Checker - property
2118
1800
@dbus_service_property(_interface,
2119
1801
signature="s",
2122
1804
if value is None: # get
2123
1805
return dbus.String(self.checker_command)
2124
1806
self.checker_command = str(value)
2125
1807
2126
1808
# CheckerRunning - property
2127
1809
@dbus_service_property(_interface,
2128
1810
signature="b",
2134
1816
self.start_checker()
2135
1817
else:
2136
1818
self.stop_checker()
2137
1819
2138
1820
# ObjectPath - property
2139
1821
@dbus_annotations(
2140
1822
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2141
1823
"org.freedesktop.DBus.Deprecated": "true"})
2142
1824
@dbus_service_property(_interface, signature="o", access="read")
2143
1825
def ObjectPath_dbus_property(self):
2144
return self.dbus_object_path # is already a dbus.ObjectPath
2145
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2146
1828
# Secret = property
2147
1829
@dbus_annotations(
2148
1830
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2153
1835
byte_arrays=True)
2154
1836
def Secret_dbus_property(self, value):
2155
1837
self.secret = bytes(value)
2156
1838
2157
1839
del _interface
2158
1840
2159
1841
2163
1845
self._pipe.send(('init', fpr, address))
2164
1846
if not self._pipe.recv():
2165
1847
raise KeyError(fpr)
2166
1848
2167
1849
def __getattribute__(self, name):
2168
1850
if name == '_pipe':
2169
1851
return super(ProxyClient, self).__getattribute__(name)
2172
1854
if data[0] == 'data':
2173
1855
return data[1]
2174
1856
if data[0] == 'function':
2175
1857
2176
1858
def func(*args, **kwargs):
2177
1859
self._pipe.send(('funcall', name, args, kwargs))
2178
1860
return self._pipe.recv()[1]
2179
1861
2180
1862
return func
2181
1863
2182
1864
def __setattr__(self, name, value):
2183
1865
if name == '_pipe':
2184
1866
return super(ProxyClient, self).__setattr__(name, value)
2187
1869
2188
1870
class ClientHandler(socketserver.BaseRequestHandler, object):
2189
1871
"""A class to handle client connections.
2190
1872
2191
1873
Instantiated once for each connection to handle it.
2192
1874
Note: This will run in its own forked process."""
2193
1875
2194
1876
def handle(self):
2195
1877
with contextlib.closing(self.server.child_pipe) as child_pipe:
2196
1878
logger.info("TCP connection from: %s",
2197
1879
str(self.client_address))
2198
1880
logger.debug("Pipe FD: %d",
2199
1881
self.server.child_pipe.fileno())
2200
2201
session = gnutls.ClientSession(self.request)
2202
2203
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2204
# "+AES-256-CBC", "+SHA1",
2205
# "+COMP-NULL", "+CTYPE-OPENPGP",
2206
# "+DHE-DSS"))
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2207
1895
# Use a fallback default, since this MUST be set.
2208
1896
priority = self.server.gnutls_priority
2209
1897
if priority is None:
2210
1898
priority = "NORMAL"
2211
gnutls.priority_set_direct(session._c_object,
2212
priority.encode("utf-8"),
2213
None)
2214
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2215
1902
# Start communication using the Mandos protocol
2216
1903
# Get protocol number
2217
1904
line = self.request.makefile().readline()
2222
1909
except (ValueError, IndexError, RuntimeError) as error:
2223
1910
logger.error("Unknown protocol version: %s", error)
2224
1911
return
2225
1912
2226
1913
# Start GnuTLS connection
2227
1914
try:
2228
1915
session.handshake()
2229
except gnutls.Error as error:
1916
except gnutls.errors.GNUTLSError as error:
2230
1917
logger.warning("Handshake failed: %s", error)
2231
1918
# Do not run session.bye() here: the session is not
2232
1919
# established. Just abandon the request.
2233
1920
return
2234
1921
logger.debug("Handshake succeeded")
2235
1922
2236
1923
approval_required = False
2237
1924
try:
2238
1925
try:
2239
1926
fpr = self.fingerprint(
2240
1927
self.peer_certificate(session))
2241
except (TypeError, gnutls.Error) as error:
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
2242
1930
logger.warning("Bad certificate: %s", error)
2243
1931
return
2244
1932
logger.debug("Fingerprint: %s", fpr)
2245
1933
2246
1934
try:
2247
1935
client = ProxyClient(child_pipe, fpr,
2248
1936
self.client_address)
2249
1937
except KeyError:
2250
1938
return
2251
1939
2252
1940
if client.approval_delay:
2253
1941
delay = client.approval_delay
2254
1942
client.approvals_pending += 1
2255
1943
approval_required = True
2256
1944
2257
1945
while True:
2258
1946
if not client.enabled:
2259
1947
logger.info("Client %s is disabled",
2262
1950
# Emit D-Bus signal
2263
1951
client.Rejected("Disabled")
2264
1952
return
2265
1953
2266
1954
if client.approved or not client.approval_delay:
2267
# We are approved or approval is disabled
1955
#We are approved or approval is disabled
2268
1956
break
2269
1957
elif client.approved is None:
2270
1958
logger.info("Client %s needs approval",
2281
1969
# Emit D-Bus signal
2282
1970
client.Rejected("Denied")
2283
1971
return
2284
2285
# wait until timeout or approved
1972
1973
#wait until timeout or approved
2286
1974
time = datetime.datetime.now()
2287
1975
client.changedstate.acquire()
2288
1976
client.changedstate.wait(delay.total_seconds())
2301
1989
break
2302
1990
else:
2303
1991
delay -= time2 - time
2304
2305
try:
2306
session.send(client.secret)
2307
except gnutls.Error as error:
2308
logger.warning("gnutls send failed",
2309
exc_info=error)
2310
return
2311
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2312
2006
logger.info("Sending secret to %s", client.name)
2313
2007
# bump the timeout using extended_timeout
2314
2008
client.bump_timeout(client.extended_timeout)
2315
2009
if self.server.use_dbus:
2316
2010
# Emit D-Bus signal
2317
2011
client.GotSecret()
2318
2012
2319
2013
finally:
2320
2014
if approval_required:
2321
2015
client.approvals_pending -= 1
2322
2016
try:
2323
2017
session.bye()
2324
except gnutls.Error as error:
2018
except gnutls.errors.GNUTLSError as error:
2325
2019
logger.warning("GnuTLS bye failed",
2326
2020
exc_info=error)
2327
2021
2328
2022
@staticmethod
2329
2023
def peer_certificate(session):
2330
2024
"Return the peer's OpenPGP certificate as a bytestring"
2331
2025
# If not an OpenPGP certificate...
2332
if (gnutls.certificate_type_get(session._c_object)
2333
!= gnutls.CRT_OPENPGP):
2334
# ...return invalid data
2335
return b""
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2336
2031
list_size = ctypes.c_uint(1)
2337
cert_list = (gnutls.certificate_get_peers
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2338
2034
(session._c_object, ctypes.byref(list_size)))
2339
2035
if not bool(cert_list) and list_size.value != 0:
2340
raise gnutls.Error("error getting peer certificate")
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2341
2038
if list_size.value == 0:
2342
2039
return None
2343
2040
cert = cert_list[0]
2344
2041
return ctypes.string_at(cert.data, cert.size)
2345
2042
2346
2043
@staticmethod
2347
2044
def fingerprint(openpgp):
2348
2045
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2349
2046
# New GnuTLS "datum" with the OpenPGP public key
2350
datum = gnutls.datum_t(
2047
datum = gnutls.library.types.gnutls_datum_t(
2351
2048
ctypes.cast(ctypes.c_char_p(openpgp),
2352
2049
ctypes.POINTER(ctypes.c_ubyte)),
2353
2050
ctypes.c_uint(len(openpgp)))
2354
2051
# New empty GnuTLS certificate
2355
crt = gnutls.openpgp_crt_t()
2356
gnutls.openpgp_crt_init(ctypes.byref(crt))
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2357
2055
# Import the OpenPGP public key into the certificate
2358
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2359
gnutls.OPENPGP_FMT_RAW)
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2360
2059
# Verify the self signature in the key
2361
2060
crtverify = ctypes.c_uint()
2362
gnutls.openpgp_crt_verify_self(crt, 0,
2363
ctypes.byref(crtverify))
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2364
2063
if crtverify.value != 0:
2365
gnutls.openpgp_crt_deinit(crt)
2366
raise gnutls.CertificateSecurityError("Verify failed")
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2367
2067
# New buffer for the fingerprint
2368
2068
buf = ctypes.create_string_buffer(20)
2369
2069
buf_len = ctypes.c_size_t()
2370
2070
# Get the fingerprint from the certificate into the buffer
2371
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2372
ctypes.byref(buf_len))
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2373
2073
# Deinit the certificate
2374
gnutls.openpgp_crt_deinit(crt)
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2375
2075
# Convert the buffer to a Python bytestring
2376
2076
fpr = ctypes.string_at(buf, buf_len.value)
2377
2077
# Convert the bytestring to hexadecimal notation
2381
2081
2382
2082
class MultiprocessingMixIn(object):
2383
2083
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2384
2084
2385
2085
def sub_process_main(self, request, address):
2386
2086
try:
2387
2087
self.finish_request(request, address)
2388
2088
except Exception:
2389
2089
self.handle_error(request, address)
2390
2090
self.close_request(request)
2391
2091
2392
2092
def process_request(self, request, address):
2393
2093
"""Start a new process to process the request."""
2394
proc = multiprocessing.Process(target=self.sub_process_main,
2395
args=(request, address))
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2396
2096
proc.start()
2397
2097
return proc
2398
2098
2399
2099
2400
2100
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2401
2101
""" adds a pipe to the MixIn """
2402
2102
2403
2103
def process_request(self, request, client_address):
2404
2104
"""Overrides and wraps the original process_request().
2405
2105
2406
2106
This function creates a new pipe in self.pipe
2407
2107
"""
2408
2108
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2409
2109
2410
2110
proc = MultiprocessingMixIn.process_request(self, request,
2411
2111
client_address)
2412
2112
self.child_pipe.close()
2413
2113
self.add_pipe(parent_pipe, proc)
2414
2114
2415
2115
def add_pipe(self, parent_pipe, proc):
2416
2116
"""Dummy function; override as necessary"""
2417
2117
raise NotImplementedError()
2420
2120
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2421
2121
socketserver.TCPServer, object):
2422
2122
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2423
2123
2424
2124
Attributes:
2425
2125
enabled: Boolean; whether this server is activated yet
2426
2126
interface: None or a network interface name (string)
2427
2127
use_ipv6: Boolean; to use IPv6 or not
2428
2128
"""
2429
2129
2430
2130
def __init__(self, server_address, RequestHandlerClass,
2431
2131
interface=None,
2432
2132
use_ipv6=True,
2442
2142
self.socketfd = socketfd
2443
2143
# Save the original socket.socket() function
2444
2144
self.socket_socket = socket.socket
2445
2446
2145
# To implement --socket, we monkey patch socket.socket.
2447
#
2146
#
2448
2147
# (When socketserver.TCPServer is a new-style class, we
2449
2148
# could make self.socket into a property instead of monkey
2450
2149
# patching socket.socket.)
2451
#
2150
#
2452
2151
# Create a one-time-only replacement for socket.socket()
2453
2152
@functools.wraps(socket.socket)
2454
2153
def socket_wrapper(*args, **kwargs):
2466
2165
# socket_wrapper(), if socketfd was set.
2467
2166
socketserver.TCPServer.__init__(self, server_address,
2468
2167
RequestHandlerClass)
2469
2168
2470
2169
def server_bind(self):
2471
2170
"""This overrides the normal server_bind() function
2472
2171
to bind to an interface if one was specified, and also NOT to
2473
2172
bind to an address or port if they were not specified."""
2474
global SO_BINDTODEVICE
2475
2173
if self.interface is not None:
2476
2174
if SO_BINDTODEVICE is None:
2477
# Fall back to a hard-coded value which seems to be
2478
# common enough.
2479
logger.warning("SO_BINDTODEVICE not found, trying 25")
2480
SO_BINDTODEVICE = 25
2481
try:
2482
self.socket.setsockopt(
2483
socket.SOL_SOCKET, SO_BINDTODEVICE,
2484
(self.interface + "\0").encode("utf-8"))
2485
except socket.error as error:
2486
if error.errno == errno.EPERM:
2487
logger.error("No permission to bind to"
2488
" interface %s", self.interface)
2489
elif error.errno == errno.ENOPROTOOPT:
2490
logger.error("SO_BINDTODEVICE not available;"
2491
" cannot bind to interface %s",
2492
self.interface)
2493
elif error.errno == errno.ENODEV:
2494
logger.error("Interface %s does not exist,"
2495
" cannot bind", self.interface)
2496
else:
2497
raise
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2498
2196
# Only bind(2) the socket if we really need to.
2499
2197
if self.server_address[0] or self.server_address[1]:
2500
2198
if not self.server_address[0]:
2501
2199
if self.address_family == socket.AF_INET6:
2502
any_address = "::" # in6addr_any
2200
any_address = "::" # in6addr_any
2503
2201
else:
2504
any_address = "0.0.0.0" # INADDR_ANY
2202
any_address = "0.0.0.0" # INADDR_ANY
2505
2203
self.server_address = (any_address,
2506
2204
self.server_address[1])
2507
2205
elif not self.server_address[1]:
2517
2215
2518
2216
class MandosServer(IPv6_TCPServer):
2519
2217
"""Mandos server.
2520
2218
2521
2219
Attributes:
2522
2220
clients: set of Client objects
2523
2221
gnutls_priority GnuTLS priority string
2524
2222
use_dbus: Boolean; to emit D-Bus signals or not
2525
2526
Assumes a GLib.MainLoop event loop.
2223
2224
Assumes a gobject.MainLoop event loop.
2527
2225
"""
2528
2226
2529
2227
def __init__(self, server_address, RequestHandlerClass,
2530
2228
interface=None,
2531
2229
use_ipv6=True,
2541
2239
self.gnutls_priority = gnutls_priority
2542
2240
IPv6_TCPServer.__init__(self, server_address,
2543
2241
RequestHandlerClass,
2544
interface=interface,
2545
use_ipv6=use_ipv6,
2546
socketfd=socketfd)
2547
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2548
2246
def server_activate(self):
2549
2247
if self.enabled:
2550
2248
return socketserver.TCPServer.server_activate(self)
2551
2249
2552
2250
def enable(self):
2553
2251
self.enabled = True
2554
2252
2555
2253
def add_pipe(self, parent_pipe, proc):
2556
2254
# Call "handle_ipc" for both data and EOF events
2557
GLib.io_add_watch(
2255
gobject.io_add_watch(
2558
2256
parent_pipe.fileno(),
2559
GLib.IO_IN | GLib.IO_HUP,
2257
gobject.IO_IN | gobject.IO_HUP,
2560
2258
functools.partial(self.handle_ipc,
2561
parent_pipe=parent_pipe,
2562
proc=proc))
2563
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2564
2262
def handle_ipc(self, source, condition,
2565
2263
parent_pipe=None,
2566
proc=None,
2264
proc = None,
2567
2265
client_object=None):
2568
2266
# error, or the other end of multiprocessing.Pipe has closed
2569
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2570
2268
# Wait for other process to exit
2571
2269
proc.join()
2572
2270
return False
2573
2271
2574
2272
# Read a request from the child
2575
2273
request = parent_pipe.recv()
2576
2274
command = request[0]
2577
2275
2578
2276
if command == 'init':
2579
2277
fpr = request[1]
2580
2278
address = request[2]
2581
2582
for c in self.clients.values():
2279
2280
for c in self.clients.itervalues():
2583
2281
if c.fingerprint == fpr:
2584
2282
client = c
2585
2283
break
2592
2290
address[0])
2593
2291
parent_pipe.send(False)
2594
2292
return False
2595
2596
GLib.io_add_watch(
2293
2294
gobject.io_add_watch(
2597
2295
parent_pipe.fileno(),
2598
GLib.IO_IN | GLib.IO_HUP,
2296
gobject.IO_IN | gobject.IO_HUP,
2599
2297
functools.partial(self.handle_ipc,
2600
parent_pipe=parent_pipe,
2601
proc=proc,
2602
client_object=client))
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2603
2301
parent_pipe.send(True)
2604
2302
# remove the old hook in favor of the new above hook on
2605
2303
# same fileno
2608
2306
funcname = request[1]
2609
2307
args = request[2]
2610
2308
kwargs = request[3]
2611
2309
2612
2310
parent_pipe.send(('data', getattr(client_object,
2613
2311
funcname)(*args,
2614
2312
**kwargs)))
2615
2313
2616
2314
if command == 'getattr':
2617
2315
attrname = request[1]
2618
2316
if isinstance(client_object.__getattribute__(attrname),
2621
2319
else:
2622
2320
parent_pipe.send((
2623
2321
'data', client_object.__getattribute__(attrname)))
2624
2322
2625
2323
if command == 'setattr':
2626
2324
attrname = request[1]
2627
2325
value = request[2]
2628
2326
setattr(client_object, attrname, value)
2629
2327
2630
2328
return True
2631
2329
2632
2330
2633
2331
def rfc3339_duration_to_delta(duration):
2634
2332
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2635
2333
2636
2334
>>> rfc3339_duration_to_delta("P7D")
2637
2335
datetime.timedelta(7)
2638
2336
>>> rfc3339_duration_to_delta("PT60S")
2648
2346
>>> rfc3339_duration_to_delta("P1DT3M20S")
2649
2347
datetime.timedelta(1, 200)
2650
2348
"""
2651
2349
2652
2350
# Parsing an RFC 3339 duration with regular expressions is not
2653
2351
# possible - there would have to be multiple places for the same
2654
2352
# values, like seconds. The current code, while more esoteric, is
2655
2353
# cleaner without depending on a parsing library. If Python had a
2656
2354
# built-in library for parsing we would use it, but we'd like to
2657
2355
# avoid excessive use of external libraries.
2658
2356
2659
2357
# New type for defining tokens, syntax, and semantics all-in-one
2660
2358
Token = collections.namedtuple("Token", (
2661
2359
"regexp", # To match token; if "value" is not None, must have
2694
2392
frozenset((token_year, token_month,
2695
2393
token_day, token_time,
2696
2394
token_week)))
2697
# Define starting values:
2698
# Value so far
2699
value = datetime.timedelta()
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2700
2397
found_token = None
2701
# Following valid tokens
2702
followers = frozenset((token_duration, ))
2703
# String left to parse
2704
s = duration
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2705
2400
# Loop until end token is found
2706
2401
while found_token is not token_end:
2707
2402
# Search for any currently valid tokens
2731
2426
2732
2427
def string_to_delta(interval):
2733
2428
"""Parse a string and return a datetime.timedelta
2734
2429
2735
2430
>>> string_to_delta('7d')
2736
2431
datetime.timedelta(7)
2737
2432
>>> string_to_delta('60s')
2745
2440
>>> string_to_delta('5m 30s')
2746
2441
datetime.timedelta(0, 330)
2747
2442
"""
2748
2443
2749
2444
try:
2750
2445
return rfc3339_duration_to_delta(interval)
2751
2446
except ValueError:
2752
2447
pass
2753
2448
2754
2449
timevalue = datetime.timedelta(0)
2755
2450
for s in interval.split():
2756
2451
try:
2774
2469
return timevalue
2775
2470
2776
2471
2777
def daemon(nochdir=False, noclose=False):
2472
def daemon(nochdir = False, noclose = False):
2778
2473
"""See daemon(3). Standard BSD Unix function.
2779
2474
2780
2475
This should really exist as os.daemon, but it doesn't (yet)."""
2781
2476
if os.fork():
2782
2477
sys.exit()
2800
2495
2801
2496
2802
2497
def main():
2803
2498
2804
2499
##################################################################
2805
2500
# Parsing of options, both command line and config file
2806
2501
2807
2502
parser = argparse.ArgumentParser()
2808
2503
parser.add_argument("-v", "--version", action="version",
2809
version="%(prog)s {}".format(version),
2504
version = "%(prog)s {}".format(version),
2810
2505
help="show version number and exit")
2811
2506
parser.add_argument("-i", "--interface", metavar="IF",
2812
2507
help="Bind to interface IF")
2848
2543
parser.add_argument("--no-zeroconf", action="store_false",
2849
2544
dest="zeroconf", help="Do not use Zeroconf",
2850
2545
default=None)
2851
2546
2852
2547
options = parser.parse_args()
2853
2548
2854
2549
if options.check:
2855
2550
import doctest
2856
2551
fail_count, test_count = doctest.testmod()
2857
2552
sys.exit(os.EX_OK if fail_count == 0 else 1)
2858
2553
2859
2554
# Default values for config file for server-global settings
2860
server_defaults = {"interface": "",
2861
"address": "",
2862
"port": "",
2863
"debug": "False",
2864
"priority":
2865
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2866
":+SIGN-DSA-SHA256",
2867
"servicename": "Mandos",
2868
"use_dbus": "True",
2869
"use_ipv6": "True",
2870
"debuglevel": "",
2871
"restore": "True",
2872
"socket": "",
2873
"statedir": "/var/lib/mandos",
2874
"foreground": "False",
2875
"zeroconf": "True",
2876
}
2877
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2878
2573
# Parse config file for server-global settings
2879
2574
server_config = configparser.SafeConfigParser(server_defaults)
2880
2575
del server_defaults
2898
2593
server_settings["socket"] = os.dup(server_settings
2899
2594
["socket"])
2900
2595
del server_config
2901
2596
2902
2597
# Override the settings from the config file with command line
2903
2598
# options, if set.
2904
2599
for option in ("interface", "address", "port", "debug",
2922
2617
if server_settings["debug"]:
2923
2618
server_settings["foreground"] = True
2924
2619
# Now we have our good server settings in "server_settings"
2925
2620
2926
2621
##################################################################
2927
2622
2928
2623
if (not server_settings["zeroconf"]
2929
2624
and not (server_settings["port"]
2930
2625
or server_settings["socket"] != "")):
2931
2626
parser.error("Needs port or socket to work without Zeroconf")
2932
2627
2933
2628
# For convenience
2934
2629
debug = server_settings["debug"]
2935
2630
debuglevel = server_settings["debuglevel"]
2939
2634
stored_state_file)
2940
2635
foreground = server_settings["foreground"]
2941
2636
zeroconf = server_settings["zeroconf"]
2942
2637
2943
2638
if debug:
2944
2639
initlogger(debug, logging.DEBUG)
2945
2640
else:
2948
2643
else:
2949
2644
level = getattr(logging, debuglevel.upper())
2950
2645
initlogger(debug, level)
2951
2646
2952
2647
if server_settings["servicename"] != "Mandos":
2953
2648
syslogger.setFormatter(
2954
2649
logging.Formatter('Mandos ({}) [%(process)d]:'
2955
2650
' %(levelname)s: %(message)s'.format(
2956
2651
server_settings["servicename"])))
2957
2652
2958
2653
# Parse config file with clients
2959
2654
client_config = configparser.SafeConfigParser(Client
2960
2655
.client_defaults)
2961
2656
client_config.read(os.path.join(server_settings["configdir"],
2962
2657
"clients.conf"))
2963
2658
2964
2659
global mandos_dbus_service
2965
2660
mandos_dbus_service = None
2966
2661
2967
2662
socketfd = None
2968
2663
if server_settings["socket"] != "":
2969
2664
socketfd = server_settings["socket"]
2985
2680
except IOError as e:
2986
2681
logger.error("Could not open file %r", pidfilename,
2987
2682
exc_info=e)
2988
2989
for name, group in (("_mandos", "_mandos"),
2990
("mandos", "mandos"),
2991
("nobody", "nogroup")):
2683
2684
for name in ("_mandos", "mandos", "nobody"):
2992
2685
try:
2993
2686
uid = pwd.getpwnam(name).pw_uid
2994
gid = pwd.getpwnam(group).pw_gid
2687
gid = pwd.getpwnam(name).pw_gid
2995
2688
break
2996
2689
except KeyError:
2997
2690
continue
3001
2694
try:
3002
2695
os.setgid(gid)
3003
2696
os.setuid(uid)
3004
if debug:
3005
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3006
gid))
3007
2697
except OSError as error:
3008
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3009
.format(uid, gid, os.strerror(error.errno)))
3010
2698
if error.errno != errno.EPERM:
3011
2699
raise
3012
2700
3013
2701
if debug:
3014
2702
# Enable all possible GnuTLS debugging
3015
2703
3016
2704
# "Use a log level over 10 to enable all debugging options."
3017
2705
# - GnuTLS manual
3018
gnutls.global_set_log_level(11)
3019
3020
@gnutls.log_func
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3021
2709
def debug_gnutls(level, string):
3022
2710
logger.debug("GnuTLS: %s", string[:-1])
3023
3024
gnutls.global_set_log_function(debug_gnutls)
3025
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3026
2715
# Redirect stdin so all checkers get /dev/null
3027
2716
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3028
2717
os.dup2(null, sys.stdin.fileno())
3029
2718
if null > 2:
3030
2719
os.close(null)
3031
2720
3032
2721
# Need to fork before connecting to D-Bus
3033
2722
if not foreground:
3034
2723
# Close all input and output, do double fork, etc.
3035
2724
daemon()
3036
3037
# multiprocessing will use threads, so before we use GLib we need
3038
# to inform GLib that threads will be used.
3039
GLib.threads_init()
3040
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3041
2730
global main_loop
3042
2731
# From the Avahi example code
3043
2732
DBusGMainLoop(set_as_default=True)
3044
main_loop = GLib.MainLoop()
2733
main_loop = gobject.MainLoop()
3045
2734
bus = dbus.SystemBus()
3046
2735
# End of Avahi example code
3047
2736
if use_dbus:
3060
2749
if zeroconf:
3061
2750
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3062
2751
service = AvahiServiceToSyslog(
3063
name=server_settings["servicename"],
3064
servicetype="_mandos._tcp",
3065
protocol=protocol,
3066
bus=bus)
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3067
2756
if server_settings["interface"]:
3068
2757
service.interface = if_nametoindex(
3069
2758
server_settings["interface"].encode("utf-8"))
3070
2759
3071
2760
global multiprocessing_manager
3072
2761
multiprocessing_manager = multiprocessing.Manager()
3073
2762
3074
2763
client_class = Client
3075
2764
if use_dbus:
3076
client_class = functools.partial(ClientDBus, bus=bus)
3077
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3078
2767
client_settings = Client.config_parser(client_config)
3079
2768
old_client_settings = {}
3080
2769
clients_data = {}
3081
2770
3082
2771
# This is used to redirect stdout and stderr for checker processes
3083
2772
global wnull
3084
wnull = open(os.devnull, "w") # A writable /dev/null
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3085
2774
# Only used if server is running in foreground but not in debug
3086
2775
# mode
3087
2776
if debug or not foreground:
3088
2777
wnull.close()
3089
2778
3090
2779
# Get client data and settings from last running state.
3091
2780
if server_settings["restore"]:
3092
2781
try:
3093
2782
with open(stored_state_path, "rb") as stored_state:
3094
if sys.version_info.major == 2:
3095
clients_data, old_client_settings = pickle.load(
3096
stored_state)
3097
else:
3098
bytes_clients_data, bytes_old_client_settings = (
3099
pickle.load(stored_state, encoding="bytes"))
3100
# Fix bytes to strings
3101
# clients_data
3102
# .keys()
3103
clients_data = {(key.decode("utf-8")
3104
if isinstance(key, bytes)
3105
else key): value
3106
for key, value in
3107
bytes_clients_data.items()}
3108
del bytes_clients_data
3109
for key in clients_data:
3110
value = {(k.decode("utf-8")
3111
if isinstance(k, bytes) else k): v
3112
for k, v in
3113
clients_data[key].items()}
3114
clients_data[key] = value
3115
# .client_structure
3116
value["client_structure"] = [
3117
(s.decode("utf-8")
3118
if isinstance(s, bytes)
3119
else s) for s in
3120
value["client_structure"]]
3121
# .name & .host
3122
for k in ("name", "host"):
3123
if isinstance(value[k], bytes):
3124
value[k] = value[k].decode("utf-8")
3125
# old_client_settings
3126
# .keys()
3127
old_client_settings = {
3128
(key.decode("utf-8")
3129
if isinstance(key, bytes)
3130
else key): value
3131
for key, value in
3132
bytes_old_client_settings.items()}
3133
del bytes_old_client_settings
3134
# .host
3135
for value in old_client_settings.values():
3136
if isinstance(value["host"], bytes):
3137
value["host"] = (value["host"]
3138
.decode("utf-8"))
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3139
2785
os.remove(stored_state_path)
3140
2786
except IOError as e:
3141
2787
if e.errno == errno.ENOENT:
3149
2795
logger.warning("Could not load persistent state: "
3150
2796
"EOFError:",
3151
2797
exc_info=e)
3152
2798
3153
2799
with PGPEngine() as pgp:
3154
2800
for client_name, client in clients_data.items():
3155
2801
# Skip removed clients
3156
2802
if client_name not in client_settings:
3157
2803
continue
3158
2804
3159
2805
# Decide which value to use after restoring saved state.
3160
2806
# We have three different values: Old config file,
3161
2807
# new config file, and saved state.
3172
2818
client[name] = value
3173
2819
except KeyError:
3174
2820
pass
3175
2821
3176
2822
# Clients who has passed its expire date can still be
3177
2823
# enabled if its last checker was successful. A Client
3178
2824
# whose checker succeeded before we stored its state is
3211
2857
client_name))
3212
2858
client["secret"] = (client_settings[client_name]
3213
2859
["secret"])
3214
2860
3215
2861
# Add/remove clients based on new changes made to config
3216
2862
for client_name in (set(old_client_settings)
3217
2863
- set(client_settings)):
3219
2865
for client_name in (set(client_settings)
3220
2866
- set(old_client_settings)):
3221
2867
clients_data[client_name] = client_settings[client_name]
3222
2868
3223
2869
# Create all client objects
3224
2870
for client_name, client in clients_data.items():
3225
2871
tcp_server.clients[client_name] = client_class(
3226
name=client_name,
3227
settings=client,
3228
server_settings=server_settings)
3229
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3230
2876
if not tcp_server.clients:
3231
2877
logger.warning("No clients defined")
3232
2878
3233
2879
if not foreground:
3234
2880
if pidfile is not None:
3235
2881
pid = os.getpid()
3241
2887
pidfilename, pid)
3242
2888
del pidfile
3243
2889
del pidfilename
3244
3245
for termsig in (signal.SIGHUP, signal.SIGTERM):
3246
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3247
lambda: main_loop.quit() and False)
3248
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3249
2894
if use_dbus:
3250
2895
3251
2896
@alternate_dbus_interfaces(
3252
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3253
2898
class MandosDBusService(DBusObjectWithObjectManager):
3254
2899
"""A D-Bus proxy object"""
3255
2900
3256
2901
def __init__(self):
3257
2902
dbus.service.Object.__init__(self, bus, "/")
3258
2903
3259
2904
_interface = "se.recompile.Mandos"
3260
2905
3261
2906
@dbus.service.signal(_interface, signature="o")
3262
2907
def ClientAdded(self, objpath):
3263
2908
"D-Bus signal"
3264
2909
pass
3265
2910
3266
2911
@dbus.service.signal(_interface, signature="ss")
3267
2912
def ClientNotFound(self, fingerprint, address):
3268
2913
"D-Bus signal"
3269
2914
pass
3270
2915
3271
2916
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3272
2917
"true"})
3273
2918
@dbus.service.signal(_interface, signature="os")
3274
2919
def ClientRemoved(self, objpath, name):
3275
2920
"D-Bus signal"
3276
2921
pass
3277
2922
3278
2923
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3279
2924
"true"})
3280
2925
@dbus.service.method(_interface, out_signature="ao")
3281
2926
def GetAllClients(self):
3282
2927
"D-Bus method"
3283
2928
return dbus.Array(c.dbus_object_path for c in
3284
tcp_server.clients.values())
3285
2929
tcp_server.clients.itervalues())
2930
3286
2931
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3287
2932
"true"})
3288
2933
@dbus.service.method(_interface,
3290
2935
def GetAllClientsWithProperties(self):
3291
2936
"D-Bus method"
3292
2937
return dbus.Dictionary(
3293
{c.dbus_object_path: c.GetAll(
2938
{ c.dbus_object_path: c.GetAll(
3294
2939
"se.recompile.Mandos.Client")
3295
for c in tcp_server.clients.values()},
2940
for c in tcp_server.clients.itervalues() },
3296
2941
signature="oa{sv}")
3297
2942
3298
2943
@dbus.service.method(_interface, in_signature="o")
3299
2944
def RemoveClient(self, object_path):
3300
2945
"D-Bus method"
3301
for c in tcp_server.clients.values():
2946
for c in tcp_server.clients.itervalues():
3302
2947
if c.dbus_object_path == object_path:
3303
2948
del tcp_server.clients[c.name]
3304
2949
c.remove_from_connection()
3308
2953
self.client_removed_signal(c)
3309
2954
return
3310
2955
raise KeyError(object_path)
3311
2956
3312
2957
del _interface
3313
2958
3314
2959
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3315
out_signature="a{oa{sa{sv}}}")
2960
out_signature = "a{oa{sa{sv}}}")
3316
2961
def GetManagedObjects(self):
3317
2962
"""D-Bus method"""
3318
2963
return dbus.Dictionary(
3319
{client.dbus_object_path:
3320
dbus.Dictionary(
3321
{interface: client.GetAll(interface)
3322
for interface in
3323
client._get_all_interface_names()})
3324
for client in tcp_server.clients.values()})
3325
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3326
2971
def client_added_signal(self, client):
3327
2972
"""Send the new standard signal and the old signal"""
3328
2973
if use_dbus:
3330
2975
self.InterfacesAdded(
3331
2976
client.dbus_object_path,
3332
2977
dbus.Dictionary(
3333
{interface: client.GetAll(interface)
3334
for interface in
3335
client._get_all_interface_names()}))
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3336
2981
# Old signal
3337
2982
self.ClientAdded(client.dbus_object_path)
3338
2983
3339
2984
def client_removed_signal(self, client):
3340
2985
"""Send the new standard signal and the old signal"""
3341
2986
if use_dbus:
3346
2991
# Old signal
3347
2992
self.ClientRemoved(client.dbus_object_path,
3348
2993
client.name)
3349
2994
3350
2995
mandos_dbus_service = MandosDBusService()
3351
3352
# Save modules to variables to exempt the modules from being
3353
# unloaded before the function registered with atexit() is run.
3354
mp = multiprocessing
3355
wn = wnull
3356
2996
3357
2997
def cleanup():
3358
2998
"Cleanup function; run on exit"
3359
2999
if zeroconf:
3360
3000
service.cleanup()
3361
3362
mp.active_children()
3363
wn.close()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3364
3004
if not (tcp_server.clients or client_settings):
3365
3005
return
3366
3006
3367
3007
# Store client before exiting. Secrets are encrypted with key
3368
3008
# based on what config file has. If config file is
3369
3009
# removed/edited, old secret will thus be unrecovable.
3370
3010
clients = {}
3371
3011
with PGPEngine() as pgp:
3372
for client in tcp_server.clients.values():
3012
for client in tcp_server.clients.itervalues():
3373
3013
key = client_settings[client.name]["secret"]
3374
3014
client.encrypted_secret = pgp.encrypt(client.secret,
3375
3015
key)
3376
3016
client_dict = {}
3377
3017
3378
3018
# A list of attributes that can not be pickled
3379
3019
# + secret.
3380
exclude = {"bus", "changedstate", "secret",
3381
"checker", "server_settings"}
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3382
3022
for name, typ in inspect.getmembers(dbus.service
3383
3023
.Object):
3384
3024
exclude.add(name)
3385
3025
3386
3026
client_dict["encrypted_secret"] = (client
3387
3027
.encrypted_secret)
3388
3028
for attr in client.client_structure:
3389
3029
if attr not in exclude:
3390
3030
client_dict[attr] = getattr(client, attr)
3391
3031
3392
3032
clients[client.name] = client_dict
3393
3033
del client_settings[client.name]["secret"]
3394
3034
3395
3035
try:
3396
3036
with tempfile.NamedTemporaryFile(
3397
3037
mode='wb',
3399
3039
prefix='clients-',
3400
3040
dir=os.path.dirname(stored_state_path),
3401
3041
delete=False) as stored_state:
3402
pickle.dump((clients, client_settings), stored_state,
3403
protocol=2)
3042
pickle.dump((clients, client_settings), stored_state)
3404
3043
tempname = stored_state.name
3405
3044
os.rename(tempname, stored_state_path)
3406
3045
except (IOError, OSError) as e:
3416
3055
logger.warning("Could not save persistent state:",
3417
3056
exc_info=e)
3418
3057
raise
3419
3058
3420
3059
# Delete all clients, and settings from config
3421
3060
while tcp_server.clients:
3422
3061
name, client = tcp_server.clients.popitem()
3425
3064
# Don't signal the disabling
3426
3065
client.disable(quiet=True)
3427
3066
# Emit D-Bus signal for removal
3428
if use_dbus:
3429
mandos_dbus_service.client_removed_signal(client)
3067
mandos_dbus_service.client_removed_signal(client)
3430
3068
client_settings.clear()
3431
3069
3432
3070
atexit.register(cleanup)
3433
3434
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3435
3073
if use_dbus:
3436
3074
# Emit D-Bus signal for adding
3437
3075
mandos_dbus_service.client_added_signal(client)
3438
3076
# Need to initiate checking of clients
3439
3077
if client.enabled:
3440
3078
client.init_checker()
3441
3079
3442
3080
tcp_server.enable()
3443
3081
tcp_server.server_activate()
3444
3082
3445
3083
# Find out what port we got
3446
3084
if zeroconf:
3447
3085
service.port = tcp_server.socket.getsockname()[1]
3452
3090
else: # IPv4
3453
3091
logger.info("Now listening on address %r, port %d",
3454
3092
*tcp_server.socket.getsockname())
3455
3456
# service.interface = tcp_server.socket.getsockname()[3]
3457
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3458
3096
try:
3459
3097
if zeroconf:
3460
3098
# From the Avahi example code
3465
3103
cleanup()
3466
3104
sys.exit(1)
3467
3105
# End of Avahi example code
3468
3469
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3470
lambda *args, **kwargs:
3471
(tcp_server.handle_request
3472
(*args[2:], **kwargs) or True))
3473
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3474
3112
logger.debug("Starting main loop")
3475
3113
main_loop.run()
3476
3114
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0