To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 800
- compare with another revision
- download diff
- download tarball
- view history from revision 800
- Committer: Teddy Hogeborn
- Date: 2016-02-21 14:24:01 UTC
- Revision ID: teddy@recompile.se-20160221142401-j7glu6a2hg604d1e
Use AddressSanitizer and UndefinedBehaviorSanitizer.
* Makefile (SANITIZE): New; set to all sanitizing options depending on
GCC version.
(CFLAGS): Added "$(SANITIZE)".
* Makefile (SANITIZE): New; set to all sanitizing options depending on
GCC version.
(CFLAGS): Added "$(SANITIZE)".
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- files modified:
- DBUS-API
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.connection
48
import gnutls.errors
49
import gnutls.library.functions
50
import gnutls.library.constants
51
import gnutls.library.types
51
52
try:
52
53
import ConfigParser as configparser
53
54
except ImportError:
80
81
81
82
import dbus
82
83
import dbus.service
83
from gi.repository import GLib
84
try:
85
import gobject
86
except ImportError:
87
from gi.repository import GObject as gobject
88
import avahi
84
89
from dbus.mainloop.glib import DBusGMainLoop
85
90
import ctypes
86
91
import ctypes.util
87
92
import xml.dom.minidom
88
93
import inspect
89
94
90
# Try to find the value of SO_BINDTODEVICE:
91
95
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
94
96
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
95
97
except AttributeError:
96
98
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
99
99
from IN import SO_BINDTODEVICE
100
100
except ImportError:
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
101
SO_BINDTODEVICE = None
114
102
115
103
if sys.version_info.major == 2:
116
104
str = unicode
117
105
118
version = "1.8.3"
106
version = "1.7.1"
119
107
stored_state_file = "clients.pickle"
120
108
121
109
logger = logging.getLogger()
125
113
if_nametoindex = ctypes.cdll.LoadLibrary(
126
114
ctypes.util.find_library("c")).if_nametoindex
127
115
except (OSError, AttributeError):
128
116
129
117
def if_nametoindex(interface):
130
118
"Get an interface index the hard way, i.e. using fcntl()"
131
119
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
136
124
return interface_index
137
125
138
126
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
155
127
def initlogger(debug, level=logging.WARNING):
156
128
"""init logger and add loglevel"""
157
129
158
130
global syslogger
159
131
syslogger = (logging.handlers.SysLogHandler(
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
132
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
133
address = "/dev/log"))
162
134
syslogger.setFormatter(logging.Formatter
163
135
('Mandos [%(process)d]: %(levelname)s:'
164
136
' %(message)s'))
165
137
logger.addHandler(syslogger)
166
138
167
139
if debug:
168
140
console = logging.StreamHandler()
169
141
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
181
153
182
154
class PGPEngine(object):
183
155
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
156
185
157
def __init__(self):
186
158
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
198
159
self.gnupgargs = ['--batch',
199
'--homedir', self.tempdir,
160
'--home', self.tempdir,
200
161
'--force-mdc',
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
162
'--quiet',
163
'--no-use-agent']
164
206
165
def __enter__(self):
207
166
return self
208
167
209
168
def __exit__(self, exc_type, exc_value, traceback):
210
169
self._cleanup()
211
170
return False
212
171
213
172
def __del__(self):
214
173
self._cleanup()
215
174
216
175
def _cleanup(self):
217
176
if self.tempdir is not None:
218
177
# Delete contents of tempdir
219
178
for root, dirs, files in os.walk(self.tempdir,
220
topdown=False):
179
topdown = False):
221
180
for filename in files:
222
181
os.remove(os.path.join(root, filename))
223
182
for dirname in dirs:
225
184
# Remove tempdir
226
185
os.rmdir(self.tempdir)
227
186
self.tempdir = None
228
187
229
188
def password_encode(self, password):
230
189
# Passphrase can not be empty and can not contain newlines or
231
190
# NUL bytes. So we prefix it and hex encode it.
236
195
.replace(b"\n", b"\\n")
237
196
.replace(b"\0", b"\\x00"))
238
197
return encoded
239
198
240
199
def encrypt(self, data, password):
241
200
passphrase = self.password_encode(password)
242
201
with tempfile.NamedTemporaryFile(
243
202
dir=self.tempdir) as passfile:
244
203
passfile.write(passphrase)
245
204
passfile.flush()
246
proc = subprocess.Popen([self.gpg, '--symmetric',
205
proc = subprocess.Popen(['gpg', '--symmetric',
247
206
'--passphrase-file',
248
207
passfile.name]
249
208
+ self.gnupgargs,
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
254
213
if proc.returncode != 0:
255
214
raise PGPError(err)
256
215
return ciphertext
257
216
258
217
def decrypt(self, data, password):
259
218
passphrase = self.password_encode(password)
260
219
with tempfile.NamedTemporaryFile(
261
dir=self.tempdir) as passfile:
220
dir = self.tempdir) as passfile:
262
221
passfile.write(passphrase)
263
222
passfile.flush()
264
proc = subprocess.Popen([self.gpg, '--decrypt',
223
proc = subprocess.Popen(['gpg', '--decrypt',
265
224
'--passphrase-file',
266
225
passfile.name]
267
226
+ self.gnupgargs,
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
272
231
if proc.returncode != 0:
273
232
raise PGPError(err)
274
233
return decrypted_plaintext
275
234
276
235
277
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
285
DBUS_NAME = "org.freedesktop.Avahi"
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
DBUS_PATH_SERVER = "/"
289
290
def string_array_to_txt_array(self, t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
303
304
236
class AvahiError(Exception):
305
237
def __init__(self, value, *args, **kwargs):
306
238
self.value = value
318
250
319
251
class AvahiService(object):
320
252
"""An Avahi (Zeroconf) service.
321
253
322
254
Attributes:
323
255
interface: integer; avahi.IF_UNSPEC or an interface index.
324
256
Used to optionally bind to the specified interface.
336
268
server: D-Bus Server
337
269
bus: dbus.SystemBus()
338
270
"""
339
271
340
272
def __init__(self,
341
interface=avahi.IF_UNSPEC,
342
name=None,
343
servicetype=None,
344
port=None,
345
TXT=None,
346
domain="",
347
host="",
348
max_renames=32768,
349
protocol=avahi.PROTO_UNSPEC,
350
bus=None):
273
interface = avahi.IF_UNSPEC,
274
name = None,
275
servicetype = None,
276
port = None,
277
TXT = None,
278
domain = "",
279
host = "",
280
max_renames = 32768,
281
protocol = avahi.PROTO_UNSPEC,
282
bus = None):
351
283
self.interface = interface
352
284
self.name = name
353
285
self.type = servicetype
362
294
self.server = None
363
295
self.bus = bus
364
296
self.entry_group_state_changed_match = None
365
297
366
298
def rename(self, remove=True):
367
299
"""Derived from the Avahi example code"""
368
300
if self.rename_count >= self.max_renames:
388
320
logger.critical("D-Bus Exception", exc_info=error)
389
321
self.cleanup()
390
322
os._exit(1)
391
323
392
324
def remove(self):
393
325
"""Derived from the Avahi example code"""
394
326
if self.entry_group_state_changed_match is not None:
396
328
self.entry_group_state_changed_match = None
397
329
if self.group is not None:
398
330
self.group.Reset()
399
331
400
332
def add(self):
401
333
"""Derived from the Avahi example code"""
402
334
self.remove()
419
351
dbus.UInt16(self.port),
420
352
avahi.string_array_to_txt_array(self.TXT))
421
353
self.group.Commit()
422
354
423
355
def entry_group_state_changed(self, state, error):
424
356
"""Derived from the Avahi example code"""
425
357
logger.debug("Avahi entry group state change: %i", state)
426
358
427
359
if state == avahi.ENTRY_GROUP_ESTABLISHED:
428
360
logger.debug("Zeroconf service established.")
429
361
elif state == avahi.ENTRY_GROUP_COLLISION:
433
365
logger.critical("Avahi: Error in group state changed %s",
434
366
str(error))
435
367
raise AvahiGroupError("State changed: {!s}".format(error))
436
368
437
369
def cleanup(self):
438
370
"""Derived from the Avahi example code"""
439
371
if self.group is not None:
444
376
pass
445
377
self.group = None
446
378
self.remove()
447
379
448
380
def server_state_changed(self, state, error=None):
449
381
"""Derived from the Avahi example code"""
450
382
logger.debug("Avahi server state change: %i", state)
479
411
logger.debug("Unknown state: %r", state)
480
412
else:
481
413
logger.debug("Unknown state: %r: %r", state, error)
482
414
483
415
def activate(self):
484
416
"""Derived from the Avahi example code"""
485
417
if self.server is None:
496
428
class AvahiServiceToSyslog(AvahiService):
497
429
def rename(self, *args, **kwargs):
498
430
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
431
ret = AvahiService.rename(self, *args, **kwargs)
500
432
syslogger.setFormatter(logging.Formatter(
501
433
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
502
434
.format(self.name)))
503
435
return ret
504
436
505
506
# Pretend that we have a GnuTLS module
507
class GnuTLS(object):
508
"""This isn't so much a class as it is a module-like namespace.
509
It is instantiated once, and simulates having a GnuTLS module."""
510
511
library = ctypes.util.find_library("gnutls")
512
if library is None:
513
library = ctypes.util.find_library("gnutls-deb0")
514
_library = ctypes.cdll.LoadLibrary(library)
515
del library
516
_need_version = b"3.3.0"
517
_tls_rawpk_version = b"3.6.6"
518
519
def __init__(self):
520
# Need to use "self" here, since this method is called before
521
# the assignment to the "gnutls" global variable happens.
522
if self.check_version(self._need_version) is None:
523
raise self.Error("Needs GnuTLS {} or later"
524
.format(self._need_version))
525
526
# Unless otherwise indicated, the constants and types below are
527
# all from the gnutls/gnutls.h C header file.
528
529
# Constants
530
E_SUCCESS = 0
531
E_INTERRUPTED = -52
532
E_AGAIN = -28
533
CRT_OPENPGP = 2
534
CRT_RAWPK = 3
535
CLIENT = 2
536
SHUT_RDWR = 0
537
CRD_CERTIFICATE = 1
538
E_NO_CERTIFICATE_FOUND = -49
539
X509_FMT_DER = 0
540
NO_TICKETS = 1<<10
541
ENABLE_RAWPK = 1<<18
542
CTYPE_PEERS = 3
543
KEYID_USE_SHA256 = 1 # gnutls/x509.h
544
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
545
546
# Types
547
class session_int(ctypes.Structure):
548
_fields_ = []
549
session_t = ctypes.POINTER(session_int)
550
551
class certificate_credentials_st(ctypes.Structure):
552
_fields_ = []
553
certificate_credentials_t = ctypes.POINTER(
554
certificate_credentials_st)
555
certificate_type_t = ctypes.c_int
556
557
class datum_t(ctypes.Structure):
558
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
559
('size', ctypes.c_uint)]
560
561
class openpgp_crt_int(ctypes.Structure):
562
_fields_ = []
563
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
564
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
565
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
566
credentials_type_t = ctypes.c_int
567
transport_ptr_t = ctypes.c_void_p
568
close_request_t = ctypes.c_int
569
570
# Exceptions
571
class Error(Exception):
572
# We need to use the class name "GnuTLS" here, since this
573
# exception might be raised from within GnuTLS.__init__,
574
# which is called before the assignment to the "gnutls"
575
# global variable has happened.
576
def __init__(self, message=None, code=None, args=()):
577
# Default usage is by a message string, but if a return
578
# code is passed, convert it to a string with
579
# gnutls.strerror()
580
self.code = code
581
if message is None and code is not None:
582
message = GnuTLS.strerror(code)
583
return super(GnuTLS.Error, self).__init__(
584
message, *args)
585
586
class CertificateSecurityError(Error):
587
pass
588
589
# Classes
590
class Credentials(object):
591
def __init__(self):
592
self._c_object = gnutls.certificate_credentials_t()
593
gnutls.certificate_allocate_credentials(
594
ctypes.byref(self._c_object))
595
self.type = gnutls.CRD_CERTIFICATE
596
597
def __del__(self):
598
gnutls.certificate_free_credentials(self._c_object)
599
600
class ClientSession(object):
601
def __init__(self, socket, credentials=None):
602
self._c_object = gnutls.session_t()
603
gnutls_flags = gnutls.CLIENT
604
if gnutls.check_version("3.5.6"):
605
gnutls_flags |= gnutls.NO_TICKETS
606
if gnutls.has_rawpk:
607
gnutls_flags |= gnutls.ENABLE_RAWPK
608
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
609
del gnutls_flags
610
gnutls.set_default_priority(self._c_object)
611
gnutls.transport_set_ptr(self._c_object, socket.fileno())
612
gnutls.handshake_set_private_extensions(self._c_object,
613
True)
614
self.socket = socket
615
if credentials is None:
616
credentials = gnutls.Credentials()
617
gnutls.credentials_set(self._c_object, credentials.type,
618
ctypes.cast(credentials._c_object,
619
ctypes.c_void_p))
620
self.credentials = credentials
621
622
def __del__(self):
623
gnutls.deinit(self._c_object)
624
625
def handshake(self):
626
return gnutls.handshake(self._c_object)
627
628
def send(self, data):
629
data = bytes(data)
630
data_len = len(data)
631
while data_len > 0:
632
data_len -= gnutls.record_send(self._c_object,
633
data[-data_len:],
634
data_len)
635
636
def bye(self):
637
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
638
639
# Error handling functions
640
def _error_code(result):
641
"""A function to raise exceptions on errors, suitable
642
for the 'restype' attribute on ctypes functions"""
643
if result >= 0:
644
return result
645
if result == gnutls.E_NO_CERTIFICATE_FOUND:
646
raise gnutls.CertificateSecurityError(code=result)
647
raise gnutls.Error(code=result)
648
649
def _retry_on_error(result, func, arguments):
650
"""A function to retry on some errors, suitable
651
for the 'errcheck' attribute on ctypes functions"""
652
while result < 0:
653
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
654
return _error_code(result)
655
result = func(*arguments)
656
return result
657
658
# Unless otherwise indicated, the function declarations below are
659
# all from the gnutls/gnutls.h C header file.
660
661
# Functions
662
priority_set_direct = _library.gnutls_priority_set_direct
663
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
664
ctypes.POINTER(ctypes.c_char_p)]
665
priority_set_direct.restype = _error_code
666
667
init = _library.gnutls_init
668
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
669
init.restype = _error_code
670
671
set_default_priority = _library.gnutls_set_default_priority
672
set_default_priority.argtypes = [session_t]
673
set_default_priority.restype = _error_code
674
675
record_send = _library.gnutls_record_send
676
record_send.argtypes = [session_t, ctypes.c_void_p,
677
ctypes.c_size_t]
678
record_send.restype = ctypes.c_ssize_t
679
record_send.errcheck = _retry_on_error
680
681
certificate_allocate_credentials = (
682
_library.gnutls_certificate_allocate_credentials)
683
certificate_allocate_credentials.argtypes = [
684
ctypes.POINTER(certificate_credentials_t)]
685
certificate_allocate_credentials.restype = _error_code
686
687
certificate_free_credentials = (
688
_library.gnutls_certificate_free_credentials)
689
certificate_free_credentials.argtypes = [
690
certificate_credentials_t]
691
certificate_free_credentials.restype = None
692
693
handshake_set_private_extensions = (
694
_library.gnutls_handshake_set_private_extensions)
695
handshake_set_private_extensions.argtypes = [session_t,
696
ctypes.c_int]
697
handshake_set_private_extensions.restype = None
698
699
credentials_set = _library.gnutls_credentials_set
700
credentials_set.argtypes = [session_t, credentials_type_t,
701
ctypes.c_void_p]
702
credentials_set.restype = _error_code
703
704
strerror = _library.gnutls_strerror
705
strerror.argtypes = [ctypes.c_int]
706
strerror.restype = ctypes.c_char_p
707
708
certificate_type_get = _library.gnutls_certificate_type_get
709
certificate_type_get.argtypes = [session_t]
710
certificate_type_get.restype = _error_code
711
712
certificate_get_peers = _library.gnutls_certificate_get_peers
713
certificate_get_peers.argtypes = [session_t,
714
ctypes.POINTER(ctypes.c_uint)]
715
certificate_get_peers.restype = ctypes.POINTER(datum_t)
716
717
global_set_log_level = _library.gnutls_global_set_log_level
718
global_set_log_level.argtypes = [ctypes.c_int]
719
global_set_log_level.restype = None
720
721
global_set_log_function = _library.gnutls_global_set_log_function
722
global_set_log_function.argtypes = [log_func]
723
global_set_log_function.restype = None
724
725
deinit = _library.gnutls_deinit
726
deinit.argtypes = [session_t]
727
deinit.restype = None
728
729
handshake = _library.gnutls_handshake
730
handshake.argtypes = [session_t]
731
handshake.restype = _error_code
732
handshake.errcheck = _retry_on_error
733
734
transport_set_ptr = _library.gnutls_transport_set_ptr
735
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
736
transport_set_ptr.restype = None
737
738
bye = _library.gnutls_bye
739
bye.argtypes = [session_t, close_request_t]
740
bye.restype = _error_code
741
bye.errcheck = _retry_on_error
742
743
check_version = _library.gnutls_check_version
744
check_version.argtypes = [ctypes.c_char_p]
745
check_version.restype = ctypes.c_char_p
746
747
has_rawpk = bool(check_version(_tls_rawpk_version))
748
749
if has_rawpk:
750
# Types
751
class pubkey_st(ctypes.Structure):
752
_fields = []
753
pubkey_t = ctypes.POINTER(pubkey_st)
754
755
x509_crt_fmt_t = ctypes.c_int
756
757
# All the function declarations below are from gnutls/abstract.h
758
pubkey_init = _library.gnutls_pubkey_init
759
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
760
pubkey_init.restype = _error_code
761
762
pubkey_import = _library.gnutls_pubkey_import
763
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
764
x509_crt_fmt_t]
765
pubkey_import.restype = _error_code
766
767
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
768
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
769
ctypes.POINTER(ctypes.c_ubyte),
770
ctypes.POINTER(ctypes.c_size_t)]
771
pubkey_get_key_id.restype = _error_code
772
773
pubkey_deinit = _library.gnutls_pubkey_deinit
774
pubkey_deinit.argtypes = [pubkey_t]
775
pubkey_deinit.restype = None
776
else:
777
# All the function declarations below are from gnutls/openpgp.h
778
779
openpgp_crt_init = _library.gnutls_openpgp_crt_init
780
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
781
openpgp_crt_init.restype = _error_code
782
783
openpgp_crt_import = _library.gnutls_openpgp_crt_import
784
openpgp_crt_import.argtypes = [openpgp_crt_t,
785
ctypes.POINTER(datum_t),
786
openpgp_crt_fmt_t]
787
openpgp_crt_import.restype = _error_code
788
789
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
790
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
791
ctypes.POINTER(ctypes.c_uint)]
792
openpgp_crt_verify_self.restype = _error_code
793
794
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
795
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
796
openpgp_crt_deinit.restype = None
797
798
openpgp_crt_get_fingerprint = (
799
_library.gnutls_openpgp_crt_get_fingerprint)
800
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
801
ctypes.c_void_p,
802
ctypes.POINTER(
803
ctypes.c_size_t)]
804
openpgp_crt_get_fingerprint.restype = _error_code
805
806
if check_version("3.6.4"):
807
certificate_type_get2 = _library.gnutls_certificate_type_get2
808
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
809
certificate_type_get2.restype = _error_code
810
811
# Remove non-public functions
812
del _error_code, _retry_on_error
813
# Create the global "gnutls" object, simulating a module
814
gnutls = GnuTLS()
815
816
817
437
def call_pipe(connection, # : multiprocessing.Connection
818
438
func, *args, **kwargs):
819
439
"""This function is meant to be called by multiprocessing.Process
820
440
821
441
This function runs func(*args, **kwargs), and writes the resulting
822
442
return value on the provided multiprocessing.Connection.
823
443
"""
824
444
connection.send(func(*args, **kwargs))
825
445
connection.close()
826
446
827
828
447
class Client(object):
829
448
"""A representation of a client host served by this server.
830
449
831
450
Attributes:
832
451
approved: bool(); 'None' if not yet approved/disapproved
833
452
approval_delay: datetime.timedelta(); Time to wait for approval
835
454
checker: subprocess.Popen(); a running checker process used
836
455
to see if the client lives.
837
456
'None' if no process is running.
838
checker_callback_tag: a GLib event source tag, or None
457
checker_callback_tag: a gobject event source tag, or None
839
458
checker_command: string; External command which is run to check
840
459
if client lives. %() expansions are done at
841
460
runtime with vars(self) as dict, so that for
842
461
instance %(name)s can be used in the command.
843
checker_initiator_tag: a GLib event source tag, or None
462
checker_initiator_tag: a gobject event source tag, or None
844
463
created: datetime.datetime(); (UTC) object creation
845
464
client_structure: Object describing what attributes a client has
846
465
and is used for storing the client at exit
847
466
current_checker_command: string; current running checker_command
848
disable_initiator_tag: a GLib event source tag, or None
467
disable_initiator_tag: a gobject event source tag, or None
849
468
enabled: bool()
850
469
fingerprint: string (40 or 32 hexadecimal digits); used to
851
uniquely identify an OpenPGP client
852
key_id: string (64 hexadecimal digits); used to uniquely identify
853
a client using raw public keys
470
uniquely identify the client
854
471
host: string; available for use by the checker command
855
472
interval: datetime.timedelta(); How often to start a new checker
856
473
last_approval_request: datetime.datetime(); (UTC) or None
872
489
disabled, or None
873
490
server_settings: The server_settings dict from main()
874
491
"""
875
492
876
493
runtime_expansions = ("approval_delay", "approval_duration",
877
"created", "enabled", "expires", "key_id",
494
"created", "enabled", "expires",
878
495
"fingerprint", "host", "interval",
879
496
"last_approval_request", "last_checked_ok",
880
497
"last_enabled", "name", "timeout")
889
506
"approved_by_default": "True",
890
507
"enabled": "True",
891
508
}
892
509
893
510
@staticmethod
894
511
def config_parser(config):
895
512
"""Construct a new dict of client settings of this form:
902
519
for client_name in config.sections():
903
520
section = dict(config.items(client_name))
904
521
client = settings[client_name] = {}
905
522
906
523
client["host"] = section["host"]
907
524
# Reformat values from string types to Python types
908
525
client["approved_by_default"] = config.getboolean(
909
526
client_name, "approved_by_default")
910
527
client["enabled"] = config.getboolean(client_name,
911
528
"enabled")
912
913
# Uppercase and remove spaces from key_id and fingerprint
914
# for later comparison purposes with return value from the
915
# key_id() and fingerprint() functions
916
client["key_id"] = (section.get("key_id", "").upper()
917
.replace(" ", ""))
529
530
# Uppercase and remove spaces from fingerprint for later
531
# comparison purposes with return value from the
532
# fingerprint() function
918
533
client["fingerprint"] = (section["fingerprint"].upper()
919
534
.replace(" ", ""))
920
535
if "secret" in section:
921
client["secret"] = codecs.decode(section["secret"]
922
.encode("utf-8"),
923
"base64")
536
client["secret"] = section["secret"].decode("base64")
924
537
elif "secfile" in section:
925
538
with open(os.path.expanduser(os.path.expandvars
926
539
(section["secfile"])),
941
554
client["last_approval_request"] = None
942
555
client["last_checked_ok"] = None
943
556
client["last_checker_status"] = -2
944
557
945
558
return settings
946
947
def __init__(self, settings, name=None, server_settings=None):
559
560
def __init__(self, settings, name = None, server_settings=None):
948
561
self.name = name
949
562
if server_settings is None:
950
563
server_settings = {}
952
565
# adding all client settings
953
566
for setting, value in settings.items():
954
567
setattr(self, setting, value)
955
568
956
569
if self.enabled:
957
570
if not hasattr(self, "last_enabled"):
958
571
self.last_enabled = datetime.datetime.utcnow()
962
575
else:
963
576
self.last_enabled = None
964
577
self.expires = None
965
578
966
579
logger.debug("Creating client %r", self.name)
967
logger.debug(" Key ID: %s", self.key_id)
968
580
logger.debug(" Fingerprint: %s", self.fingerprint)
969
581
self.created = settings.get("created",
970
582
datetime.datetime.utcnow())
971
583
972
584
# attributes specific for this server instance
973
585
self.checker = None
974
586
self.checker_initiator_tag = None
980
592
self.changedstate = multiprocessing_manager.Condition(
981
593
multiprocessing_manager.Lock())
982
594
self.client_structure = [attr
983
for attr in self.__dict__.keys()
595
for attr in self.__dict__.iterkeys()
984
596
if not attr.startswith("_")]
985
597
self.client_structure.append("client_structure")
986
598
987
599
for name, t in inspect.getmembers(
988
600
type(self), lambda obj: isinstance(obj, property)):
989
601
if not name.startswith("_"):
990
602
self.client_structure.append(name)
991
603
992
604
# Send notice to process children that client state has changed
993
605
def send_changedstate(self):
994
606
with self.changedstate:
995
607
self.changedstate.notify_all()
996
608
997
609
def enable(self):
998
610
"""Start this client's checker and timeout hooks"""
999
611
if getattr(self, "enabled", False):
1004
616
self.last_enabled = datetime.datetime.utcnow()
1005
617
self.init_checker()
1006
618
self.send_changedstate()
1007
619
1008
620
def disable(self, quiet=True):
1009
621
"""Disable this client."""
1010
622
if not getattr(self, "enabled", False):
1012
624
if not quiet:
1013
625
logger.info("Disabling client %s", self.name)
1014
626
if getattr(self, "disable_initiator_tag", None) is not None:
1015
GLib.source_remove(self.disable_initiator_tag)
627
gobject.source_remove(self.disable_initiator_tag)
1016
628
self.disable_initiator_tag = None
1017
629
self.expires = None
1018
630
if getattr(self, "checker_initiator_tag", None) is not None:
1019
GLib.source_remove(self.checker_initiator_tag)
631
gobject.source_remove(self.checker_initiator_tag)
1020
632
self.checker_initiator_tag = None
1021
633
self.stop_checker()
1022
634
self.enabled = False
1023
635
if not quiet:
1024
636
self.send_changedstate()
1025
# Do not run this again if called by a GLib.timeout_add
637
# Do not run this again if called by a gobject.timeout_add
1026
638
return False
1027
639
1028
640
def __del__(self):
1029
641
self.disable()
1030
642
1031
643
def init_checker(self):
1032
644
# Schedule a new checker to be started an 'interval' from now,
1033
645
# and every interval from then on.
1034
646
if self.checker_initiator_tag is not None:
1035
GLib.source_remove(self.checker_initiator_tag)
1036
self.checker_initiator_tag = GLib.timeout_add(
647
gobject.source_remove(self.checker_initiator_tag)
648
self.checker_initiator_tag = gobject.timeout_add(
1037
649
int(self.interval.total_seconds() * 1000),
1038
650
self.start_checker)
1039
651
# Schedule a disable() when 'timeout' has passed
1040
652
if self.disable_initiator_tag is not None:
1041
GLib.source_remove(self.disable_initiator_tag)
1042
self.disable_initiator_tag = GLib.timeout_add(
653
gobject.source_remove(self.disable_initiator_tag)
654
self.disable_initiator_tag = gobject.timeout_add(
1043
655
int(self.timeout.total_seconds() * 1000), self.disable)
1044
656
# Also start a new checker *right now*.
1045
657
self.start_checker()
1046
658
1047
659
def checker_callback(self, source, condition, connection,
1048
660
command):
1049
661
"""The checker has completed, so take appropriate actions."""
1052
664
# Read return code from connection (see call_pipe)
1053
665
returncode = connection.recv()
1054
666
connection.close()
1055
667
1056
668
if returncode >= 0:
1057
669
self.last_checker_status = returncode
1058
670
self.last_checker_signal = None
1068
680
logger.warning("Checker for %(name)s crashed?",
1069
681
vars(self))
1070
682
return False
1071
683
1072
684
def checked_ok(self):
1073
685
"""Assert that the client has been seen, alive and well."""
1074
686
self.last_checked_ok = datetime.datetime.utcnow()
1075
687
self.last_checker_status = 0
1076
688
self.last_checker_signal = None
1077
689
self.bump_timeout()
1078
690
1079
691
def bump_timeout(self, timeout=None):
1080
692
"""Bump up the timeout for this client."""
1081
693
if timeout is None:
1082
694
timeout = self.timeout
1083
695
if self.disable_initiator_tag is not None:
1084
GLib.source_remove(self.disable_initiator_tag)
696
gobject.source_remove(self.disable_initiator_tag)
1085
697
self.disable_initiator_tag = None
1086
698
if getattr(self, "enabled", False):
1087
self.disable_initiator_tag = GLib.timeout_add(
699
self.disable_initiator_tag = gobject.timeout_add(
1088
700
int(timeout.total_seconds() * 1000), self.disable)
1089
701
self.expires = datetime.datetime.utcnow() + timeout
1090
702
1091
703
def need_approval(self):
1092
704
self.last_approval_request = datetime.datetime.utcnow()
1093
705
1094
706
def start_checker(self):
1095
707
"""Start a new checker subprocess if one is not running.
1096
708
1097
709
If a checker already exists, leave it running and do
1098
710
nothing."""
1099
711
# The reason for not killing a running checker is that if we
1104
716
# checkers alone, the checker would have to take more time
1105
717
# than 'timeout' for the client to be disabled, which is as it
1106
718
# should be.
1107
719
1108
720
if self.checker is not None and not self.checker.is_alive():
1109
721
logger.warning("Checker was not alive; joining")
1110
722
self.checker.join()
1114
726
# Escape attributes for the shell
1115
727
escaped_attrs = {
1116
728
attr: re.escape(str(getattr(self, attr)))
1117
for attr in self.runtime_expansions}
729
for attr in self.runtime_expansions }
1118
730
try:
1119
731
command = self.checker_command % escaped_attrs
1120
732
except TypeError as error:
1132
744
# The exception is when not debugging but nevertheless
1133
745
# running in the foreground; use the previously
1134
746
# created wnull.
1135
popen_args = {"close_fds": True,
1136
"shell": True,
1137
"cwd": "/"}
747
popen_args = { "close_fds": True,
748
"shell": True,
749
"cwd": "/" }
1138
750
if (not self.server_settings["debug"]
1139
751
and self.server_settings["foreground"]):
1140
752
popen_args.update({"stdout": wnull,
1141
"stderr": wnull})
1142
pipe = multiprocessing.Pipe(duplex=False)
753
"stderr": wnull })
754
pipe = multiprocessing.Pipe(duplex = False)
1143
755
self.checker = multiprocessing.Process(
1144
target=call_pipe,
1145
args=(pipe[1], subprocess.call, command),
1146
kwargs=popen_args)
756
target = call_pipe,
757
args = (pipe[1], subprocess.call, command),
758
kwargs = popen_args)
1147
759
self.checker.start()
1148
self.checker_callback_tag = GLib.io_add_watch(
1149
pipe[0].fileno(), GLib.IO_IN,
760
self.checker_callback_tag = gobject.io_add_watch(
761
pipe[0].fileno(), gobject.IO_IN,
1150
762
self.checker_callback, pipe[0], command)
1151
# Re-run this periodically if run by GLib.timeout_add
763
# Re-run this periodically if run by gobject.timeout_add
1152
764
return True
1153
765
1154
766
def stop_checker(self):
1155
767
"""Force the checker process, if any, to stop."""
1156
768
if self.checker_callback_tag:
1157
GLib.source_remove(self.checker_callback_tag)
769
gobject.source_remove(self.checker_callback_tag)
1158
770
self.checker_callback_tag = None
1159
771
if getattr(self, "checker", None) is None:
1160
772
return
1169
781
byte_arrays=False):
1170
782
"""Decorators for marking methods of a DBusObjectWithProperties to
1171
783
become properties on the D-Bus.
1172
784
1173
785
The decorated method will be called with no arguments by "Get"
1174
786
and with one argument by "Set".
1175
787
1176
788
The parameters, where they are supported, are the same as
1177
789
dbus.service.method, except there is only "signature", since the
1178
790
type from Get() and the type sent to Set() is the same.
1182
794
if byte_arrays and signature != "ay":
1183
795
raise ValueError("Byte arrays not supported for non-'ay'"
1184
796
" signature {!r}".format(signature))
1185
797
1186
798
def decorator(func):
1187
799
func._dbus_is_property = True
1188
800
func._dbus_interface = dbus_interface
1191
803
func._dbus_name = func.__name__
1192
804
if func._dbus_name.endswith("_dbus_property"):
1193
805
func._dbus_name = func._dbus_name[:-14]
1194
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
806
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1195
807
return func
1196
808
1197
809
return decorator
1198
810
1199
811
1200
812
def dbus_interface_annotations(dbus_interface):
1201
813
"""Decorator for marking functions returning interface annotations
1202
814
1203
815
Usage:
1204
816
1205
817
@dbus_interface_annotations("org.example.Interface")
1206
818
def _foo(self): # Function name does not matter
1207
819
return {"org.freedesktop.DBus.Deprecated": "true",
1208
820
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1209
821
"false"}
1210
822
"""
1211
823
1212
824
def decorator(func):
1213
825
func._dbus_is_interface = True
1214
826
func._dbus_interface = dbus_interface
1215
827
func._dbus_name = dbus_interface
1216
828
return func
1217
829
1218
830
return decorator
1219
831
1220
832
1221
833
def dbus_annotations(annotations):
1222
834
"""Decorator to annotate D-Bus methods, signals or properties
1223
835
Usage:
1224
836
1225
837
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1226
838
"org.freedesktop.DBus.Property."
1227
839
"EmitsChangedSignal": "false"})
1229
841
access="r")
1230
842
def Property_dbus_property(self):
1231
843
return dbus.Boolean(False)
1232
844
1233
845
See also the DBusObjectWithAnnotations class.
1234
846
"""
1235
847
1236
848
def decorator(func):
1237
849
func._dbus_annotations = annotations
1238
850
return func
1239
851
1240
852
return decorator
1241
853
1242
854
1260
872
1261
873
class DBusObjectWithAnnotations(dbus.service.Object):
1262
874
"""A D-Bus object with annotations.
1263
875
1264
876
Classes inheriting from this can use the dbus_annotations
1265
877
decorator to add annotations to methods or signals.
1266
878
"""
1267
879
1268
880
@staticmethod
1269
881
def _is_dbus_thing(thing):
1270
882
"""Returns a function testing if an attribute is a D-Bus thing
1271
883
1272
884
If called like _is_dbus_thing("method") it returns a function
1273
885
suitable for use as predicate to inspect.getmembers().
1274
886
"""
1275
887
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1276
888
False)
1277
889
1278
890
def _get_all_dbus_things(self, thing):
1279
891
"""Returns a generator of (name, attribute) pairs
1280
892
"""
1283
895
for cls in self.__class__.__mro__
1284
896
for name, athing in
1285
897
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1286
898
1287
899
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1288
out_signature="s",
1289
path_keyword='object_path',
1290
connection_keyword='connection')
900
out_signature = "s",
901
path_keyword = 'object_path',
902
connection_keyword = 'connection')
1291
903
def Introspect(self, object_path, connection):
1292
904
"""Overloading of standard D-Bus method.
1293
905
1294
906
Inserts annotation tags on methods and signals.
1295
907
"""
1296
908
xmlstring = dbus.service.Object.Introspect(self, object_path,
1297
909
connection)
1298
910
try:
1299
911
document = xml.dom.minidom.parseString(xmlstring)
1300
912
1301
913
for if_tag in document.getElementsByTagName("interface"):
1302
914
# Add annotation tags
1303
915
for typ in ("method", "signal"):
1330
942
if_tag.appendChild(ann_tag)
1331
943
# Fix argument name for the Introspect method itself
1332
944
if (if_tag.getAttribute("name")
1333
== dbus.INTROSPECTABLE_IFACE):
945
== dbus.INTROSPECTABLE_IFACE):
1334
946
for cn in if_tag.getElementsByTagName("method"):
1335
947
if cn.getAttribute("name") == "Introspect":
1336
948
for arg in cn.getElementsByTagName("arg"):
1349
961
1350
962
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1351
963
"""A D-Bus object with properties.
1352
964
1353
965
Classes inheriting from this can use the dbus_service_property
1354
966
decorator to expose methods as D-Bus properties. It exposes the
1355
967
standard Get(), Set(), and GetAll() methods on the D-Bus.
1356
968
"""
1357
969
1358
970
def _get_dbus_property(self, interface_name, property_name):
1359
971
"""Returns a bound method if one exists which is a D-Bus
1360
972
property with the specified name and interface.
1365
977
if (value._dbus_name == property_name
1366
978
and value._dbus_interface == interface_name):
1367
979
return value.__get__(self)
1368
980
1369
981
# No such property
1370
982
raise DBusPropertyNotFound("{}:{}.{}".format(
1371
983
self.dbus_object_path, interface_name, property_name))
1372
984
1373
985
@classmethod
1374
986
def _get_all_interface_names(cls):
1375
987
"""Get a sequence of all interfaces supported by an object"""
1378
990
for x in (inspect.getmro(cls))
1379
991
for attr in dir(x))
1380
992
if name is not None)
1381
993
1382
994
@dbus.service.method(dbus.PROPERTIES_IFACE,
1383
995
in_signature="ss",
1384
996
out_signature="v")
1392
1004
if not hasattr(value, "variant_level"):
1393
1005
return value
1394
1006
return type(value)(value, variant_level=value.variant_level+1)
1395
1007
1396
1008
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1397
1009
def Set(self, interface_name, property_name, value):
1398
1010
"""Standard D-Bus property Set() method, see D-Bus standard.
1410
1022
value = dbus.ByteArray(b''.join(chr(byte)
1411
1023
for byte in value))
1412
1024
prop(value)
1413
1025
1414
1026
@dbus.service.method(dbus.PROPERTIES_IFACE,
1415
1027
in_signature="s",
1416
1028
out_signature="a{sv}")
1417
1029
def GetAll(self, interface_name):
1418
1030
"""Standard D-Bus property GetAll() method, see D-Bus
1419
1031
standard.
1420
1032
1421
1033
Note: Will not include properties with access="write".
1422
1034
"""
1423
1035
properties = {}
1434
1046
properties[name] = value
1435
1047
continue
1436
1048
properties[name] = type(value)(
1437
value, variant_level=value.variant_level + 1)
1049
value, variant_level = value.variant_level + 1)
1438
1050
return dbus.Dictionary(properties, signature="sv")
1439
1051
1440
1052
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1441
1053
def PropertiesChanged(self, interface_name, changed_properties,
1442
1054
invalidated_properties):
1444
1056
standard.
1445
1057
"""
1446
1058
pass
1447
1059
1448
1060
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1449
1061
out_signature="s",
1450
1062
path_keyword='object_path',
1451
1063
connection_keyword='connection')
1452
1064
def Introspect(self, object_path, connection):
1453
1065
"""Overloading of standard D-Bus method.
1454
1066
1455
1067
Inserts property tags and interface annotation tags.
1456
1068
"""
1457
1069
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1459
1071
connection)
1460
1072
try:
1461
1073
document = xml.dom.minidom.parseString(xmlstring)
1462
1074
1463
1075
def make_tag(document, name, prop):
1464
1076
e = document.createElement("property")
1465
1077
e.setAttribute("name", name)
1466
1078
e.setAttribute("type", prop._dbus_signature)
1467
1079
e.setAttribute("access", prop._dbus_access)
1468
1080
return e
1469
1081
1470
1082
for if_tag in document.getElementsByTagName("interface"):
1471
1083
# Add property tags
1472
1084
for tag in (make_tag(document, name, prop)
1514
1126
exc_info=error)
1515
1127
return xmlstring
1516
1128
1517
1518
1129
try:
1519
1130
dbus.OBJECT_MANAGER_IFACE
1520
1131
except AttributeError:
1521
1132
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1522
1133
1523
1524
1134
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1525
1135
"""A D-Bus object with an ObjectManager.
1526
1136
1527
1137
Classes inheriting from this exposes the standard
1528
1138
GetManagedObjects call and the InterfacesAdded and
1529
1139
InterfacesRemoved signals on the standard
1530
1140
"org.freedesktop.DBus.ObjectManager" interface.
1531
1141
1532
1142
Note: No signals are sent automatically; they must be sent
1533
1143
manually.
1534
1144
"""
1535
1145
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1536
out_signature="a{oa{sa{sv}}}")
1146
out_signature = "a{oa{sa{sv}}}")
1537
1147
def GetManagedObjects(self):
1538
1148
"""This function must be overridden"""
1539
1149
raise NotImplementedError()
1540
1150
1541
1151
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1542
signature="oa{sa{sv}}")
1152
signature = "oa{sa{sv}}")
1543
1153
def InterfacesAdded(self, object_path, interfaces_and_properties):
1544
1154
pass
1545
1546
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1155
1156
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1547
1157
def InterfacesRemoved(self, object_path, interfaces):
1548
1158
pass
1549
1159
1550
1160
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1551
out_signature="s",
1552
path_keyword='object_path',
1553
connection_keyword='connection')
1161
out_signature = "s",
1162
path_keyword = 'object_path',
1163
connection_keyword = 'connection')
1554
1164
def Introspect(self, object_path, connection):
1555
1165
"""Overloading of standard D-Bus method.
1556
1166
1557
1167
Override return argument name of GetManagedObjects to be
1558
1168
"objpath_interfaces_and_properties"
1559
1169
"""
1562
1172
connection)
1563
1173
try:
1564
1174
document = xml.dom.minidom.parseString(xmlstring)
1565
1175
1566
1176
for if_tag in document.getElementsByTagName("interface"):
1567
1177
# Fix argument name for the GetManagedObjects method
1568
1178
if (if_tag.getAttribute("name")
1569
== dbus.OBJECT_MANAGER_IFACE):
1179
== dbus.OBJECT_MANAGER_IFACE):
1570
1180
for cn in if_tag.getElementsByTagName("method"):
1571
1181
if (cn.getAttribute("name")
1572
1182
== "GetManagedObjects"):
1582
1192
except (AttributeError, xml.dom.DOMException,
1583
1193
xml.parsers.expat.ExpatError) as error:
1584
1194
logger.error("Failed to override Introspection method",
1585
exc_info=error)
1195
exc_info = error)
1586
1196
return xmlstring
1587
1197
1588
1589
1198
def datetime_to_dbus(dt, variant_level=0):
1590
1199
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1591
1200
if dt is None:
1592
return dbus.String("", variant_level=variant_level)
1201
return dbus.String("", variant_level = variant_level)
1593
1202
return dbus.String(dt.isoformat(), variant_level=variant_level)
1594
1203
1595
1204
1598
1207
dbus.service.Object, it will add alternate D-Bus attributes with
1599
1208
interface names according to the "alt_interface_names" mapping.
1600
1209
Usage:
1601
1210
1602
1211
@alternate_dbus_interfaces({"org.example.Interface":
1603
1212
"net.example.AlternateInterface"})
1604
1213
class SampleDBusObject(dbus.service.Object):
1605
1214
@dbus.service.method("org.example.Interface")
1606
1215
def SampleDBusMethod():
1607
1216
pass
1608
1217
1609
1218
The above "SampleDBusMethod" on "SampleDBusObject" will be
1610
1219
reachable via two interfaces: "org.example.Interface" and
1611
1220
"net.example.AlternateInterface", the latter of which will have
1612
1221
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1613
1222
"true", unless "deprecate" is passed with a False value.
1614
1223
1615
1224
This works for methods and signals, and also for D-Bus properties
1616
1225
(from DBusObjectWithProperties) and interfaces (from the
1617
1226
dbus_interface_annotations decorator).
1618
1227
"""
1619
1228
1620
1229
def wrapper(cls):
1621
1230
for orig_interface_name, alt_interface_name in (
1622
1231
alt_interface_names.items()):
1637
1246
interface_names.add(alt_interface)
1638
1247
# Is this a D-Bus signal?
1639
1248
if getattr(attribute, "_dbus_is_signal", False):
1640
# Extract the original non-method undecorated
1641
# function by black magic
1642
1249
if sys.version_info.major == 2:
1250
# Extract the original non-method undecorated
1251
# function by black magic
1643
1252
nonmethod_func = (dict(
1644
1253
zip(attribute.func_code.co_freevars,
1645
1254
attribute.__closure__))
1646
1255
["func"].cell_contents)
1647
1256
else:
1648
nonmethod_func = (dict(
1649
zip(attribute.__code__.co_freevars,
1650
attribute.__closure__))
1651
["func"].cell_contents)
1257
nonmethod_func = attribute
1652
1258
# Create a new, but exactly alike, function
1653
1259
# object, and decorate it to be a new D-Bus signal
1654
1260
# with the alternate D-Bus interface name
1655
new_function = copy_function(nonmethod_func)
1261
if sys.version_info.major == 2:
1262
new_function = types.FunctionType(
1263
nonmethod_func.func_code,
1264
nonmethod_func.func_globals,
1265
nonmethod_func.func_name,
1266
nonmethod_func.func_defaults,
1267
nonmethod_func.func_closure)
1268
else:
1269
new_function = types.FunctionType(
1270
nonmethod_func.__code__,
1271
nonmethod_func.__globals__,
1272
nonmethod_func.__name__,
1273
nonmethod_func.__defaults__,
1274
nonmethod_func.__closure__)
1656
1275
new_function = (dbus.service.signal(
1657
1276
alt_interface,
1658
1277
attribute._dbus_signature)(new_function))
1662
1281
attribute._dbus_annotations)
1663
1282
except AttributeError:
1664
1283
pass
1665
1666
1284
# Define a creator of a function to call both the
1667
1285
# original and alternate functions, so both the
1668
1286
# original and alternate signals gets sent when
1671
1289
"""This function is a scope container to pass
1672
1290
func1 and func2 to the "call_both" function
1673
1291
outside of its arguments"""
1674
1292
1675
1293
@functools.wraps(func2)
1676
1294
def call_both(*args, **kwargs):
1677
1295
"""This function will emit two D-Bus
1678
1296
signals by calling func1 and func2"""
1679
1297
func1(*args, **kwargs)
1680
1298
func2(*args, **kwargs)
1681
# Make wrapper function look like a D-Bus
1682
# signal
1299
# Make wrapper function look like a D-Bus signal
1683
1300
for name, attr in inspect.getmembers(func2):
1684
1301
if name.startswith("_dbus_"):
1685
1302
setattr(call_both, name, attr)
1686
1303
1687
1304
return call_both
1688
1305
# Create the "call_both" function and add it to
1689
1306
# the class
1699
1316
alt_interface,
1700
1317
attribute._dbus_in_signature,
1701
1318
attribute._dbus_out_signature)
1702
(copy_function(attribute)))
1319
(types.FunctionType(attribute.func_code,
1320
attribute.func_globals,
1321
attribute.func_name,
1322
attribute.func_defaults,
1323
attribute.func_closure)))
1703
1324
# Copy annotations, if any
1704
1325
try:
1705
1326
attr[attrname]._dbus_annotations = dict(
1717
1338
attribute._dbus_access,
1718
1339
attribute._dbus_get_args_options
1719
1340
["byte_arrays"])
1720
(copy_function(attribute)))
1341
(types.FunctionType(
1342
attribute.func_code,
1343
attribute.func_globals,
1344
attribute.func_name,
1345
attribute.func_defaults,
1346
attribute.func_closure)))
1721
1347
# Copy annotations, if any
1722
1348
try:
1723
1349
attr[attrname]._dbus_annotations = dict(
1732
1358
# to the class.
1733
1359
attr[attrname] = (
1734
1360
dbus_interface_annotations(alt_interface)
1735
(copy_function(attribute)))
1361
(types.FunctionType(attribute.func_code,
1362
attribute.func_globals,
1363
attribute.func_name,
1364
attribute.func_defaults,
1365
attribute.func_closure)))
1736
1366
if deprecate:
1737
1367
# Deprecate all alternate interfaces
1738
iname = "_AlternateDBusNames_interface_annotation{}"
1368
iname="_AlternateDBusNames_interface_annotation{}"
1739
1369
for interface_name in interface_names:
1740
1370
1741
1371
@dbus_interface_annotations(interface_name)
1742
1372
def func(self):
1743
return {"org.freedesktop.DBus.Deprecated":
1744
"true"}
1373
return { "org.freedesktop.DBus.Deprecated":
1374
"true" }
1745
1375
# Find an unused name
1746
1376
for aname in (iname.format(i)
1747
1377
for i in itertools.count()):
1751
1381
if interface_names:
1752
1382
# Replace the class with a new subclass of it with
1753
1383
# methods, signals, etc. as created above.
1754
if sys.version_info.major == 2:
1755
cls = type(b"{}Alternate".format(cls.__name__),
1756
(cls, ), attr)
1757
else:
1758
cls = type("{}Alternate".format(cls.__name__),
1759
(cls, ), attr)
1384
cls = type(b"{}Alternate".format(cls.__name__),
1385
(cls, ), attr)
1760
1386
return cls
1761
1387
1762
1388
return wrapper
1763
1389
1764
1390
1766
1392
"se.bsnet.fukt.Mandos"})
1767
1393
class ClientDBus(Client, DBusObjectWithProperties):
1768
1394
"""A Client class using D-Bus
1769
1395
1770
1396
Attributes:
1771
1397
dbus_object_path: dbus.ObjectPath
1772
1398
bus: dbus.SystemBus()
1773
1399
"""
1774
1400
1775
1401
runtime_expansions = (Client.runtime_expansions
1776
1402
+ ("dbus_object_path", ))
1777
1403
1778
1404
_interface = "se.recompile.Mandos.Client"
1779
1405
1780
1406
# dbus.service.Object doesn't use super(), so we can't either.
1781
1782
def __init__(self, bus=None, *args, **kwargs):
1407
1408
def __init__(self, bus = None, *args, **kwargs):
1783
1409
self.bus = bus
1784
1410
Client.__init__(self, *args, **kwargs)
1785
1411
# Only now, when this client is initialized, can it show up on
1791
1417
"/clients/" + client_object_name)
1792
1418
DBusObjectWithProperties.__init__(self, self.bus,
1793
1419
self.dbus_object_path)
1794
1420
1795
1421
def notifychangeproperty(transform_func, dbus_name,
1796
1422
type_func=lambda x: x,
1797
1423
variant_level=1,
1799
1425
_interface=_interface):
1800
1426
""" Modify a variable so that it's a property which announces
1801
1427
its changes to DBus.
1802
1428
1803
1429
transform_fun: Function that takes a value and a variant_level
1804
1430
and transforms it to a D-Bus type.
1805
1431
dbus_name: D-Bus name of the variable
1808
1434
variant_level: D-Bus variant level. Default: 1
1809
1435
"""
1810
1436
attrname = "_{}".format(dbus_name)
1811
1437
1812
1438
def setter(self, value):
1813
1439
if hasattr(self, "dbus_object_path"):
1814
1440
if (not hasattr(self, attrname) or
1821
1447
else:
1822
1448
dbus_value = transform_func(
1823
1449
type_func(value),
1824
variant_level=variant_level)
1450
variant_level = variant_level)
1825
1451
self.PropertyChanged(dbus.String(dbus_name),
1826
1452
dbus_value)
1827
1453
self.PropertiesChanged(
1828
1454
_interface,
1829
dbus.Dictionary({dbus.String(dbus_name):
1830
dbus_value}),
1455
dbus.Dictionary({ dbus.String(dbus_name):
1456
dbus_value }),
1831
1457
dbus.Array())
1832
1458
setattr(self, attrname, value)
1833
1459
1834
1460
return property(lambda self: getattr(self, attrname), setter)
1835
1461
1836
1462
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1837
1463
approvals_pending = notifychangeproperty(dbus.Boolean,
1838
1464
"ApprovalPending",
1839
type_func=bool)
1465
type_func = bool)
1840
1466
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1841
1467
last_enabled = notifychangeproperty(datetime_to_dbus,
1842
1468
"LastEnabled")
1843
1469
checker = notifychangeproperty(
1844
1470
dbus.Boolean, "CheckerRunning",
1845
type_func=lambda checker: checker is not None)
1471
type_func = lambda checker: checker is not None)
1846
1472
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1847
1473
"LastCheckedOK")
1848
1474
last_checker_status = notifychangeproperty(dbus.Int16,
1853
1479
"ApprovedByDefault")
1854
1480
approval_delay = notifychangeproperty(
1855
1481
dbus.UInt64, "ApprovalDelay",
1856
type_func=lambda td: td.total_seconds() * 1000)
1482
type_func = lambda td: td.total_seconds() * 1000)
1857
1483
approval_duration = notifychangeproperty(
1858
1484
dbus.UInt64, "ApprovalDuration",
1859
type_func=lambda td: td.total_seconds() * 1000)
1485
type_func = lambda td: td.total_seconds() * 1000)
1860
1486
host = notifychangeproperty(dbus.String, "Host")
1861
1487
timeout = notifychangeproperty(
1862
1488
dbus.UInt64, "Timeout",
1863
type_func=lambda td: td.total_seconds() * 1000)
1489
type_func = lambda td: td.total_seconds() * 1000)
1864
1490
extended_timeout = notifychangeproperty(
1865
1491
dbus.UInt64, "ExtendedTimeout",
1866
type_func=lambda td: td.total_seconds() * 1000)
1492
type_func = lambda td: td.total_seconds() * 1000)
1867
1493
interval = notifychangeproperty(
1868
1494
dbus.UInt64, "Interval",
1869
type_func=lambda td: td.total_seconds() * 1000)
1495
type_func = lambda td: td.total_seconds() * 1000)
1870
1496
checker_command = notifychangeproperty(dbus.String, "Checker")
1871
1497
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1872
1498
invalidate_only=True)
1873
1499
1874
1500
del notifychangeproperty
1875
1501
1876
1502
def __del__(self, *args, **kwargs):
1877
1503
try:
1878
1504
self.remove_from_connection()
1881
1507
if hasattr(DBusObjectWithProperties, "__del__"):
1882
1508
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1883
1509
Client.__del__(self, *args, **kwargs)
1884
1510
1885
1511
def checker_callback(self, source, condition,
1886
1512
connection, command, *args, **kwargs):
1887
1513
ret = Client.checker_callback(self, source, condition,
1903
1529
| self.last_checker_signal),
1904
1530
dbus.String(command))
1905
1531
return ret
1906
1532
1907
1533
def start_checker(self, *args, **kwargs):
1908
1534
old_checker_pid = getattr(self.checker, "pid", None)
1909
1535
r = Client.start_checker(self, *args, **kwargs)
1913
1539
# Emit D-Bus signal
1914
1540
self.CheckerStarted(self.current_checker_command)
1915
1541
return r
1916
1542
1917
1543
def _reset_approved(self):
1918
1544
self.approved = None
1919
1545
return False
1920
1546
1921
1547
def approve(self, value=True):
1922
1548
self.approved = value
1923
GLib.timeout_add(int(self.approval_duration.total_seconds()
1924
* 1000), self._reset_approved)
1549
gobject.timeout_add(int(self.approval_duration.total_seconds()
1550
* 1000), self._reset_approved)
1925
1551
self.send_changedstate()
1926
1927
# D-Bus methods, signals & properties
1928
1929
# Interfaces
1930
1931
# Signals
1932
1552
1553
## D-Bus methods, signals & properties
1554
1555
## Interfaces
1556
1557
## Signals
1558
1933
1559
# CheckerCompleted - signal
1934
1560
@dbus.service.signal(_interface, signature="nxs")
1935
1561
def CheckerCompleted(self, exitcode, waitstatus, command):
1936
1562
"D-Bus signal"
1937
1563
pass
1938
1564
1939
1565
# CheckerStarted - signal
1940
1566
@dbus.service.signal(_interface, signature="s")
1941
1567
def CheckerStarted(self, command):
1942
1568
"D-Bus signal"
1943
1569
pass
1944
1570
1945
1571
# PropertyChanged - signal
1946
1572
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1947
1573
@dbus.service.signal(_interface, signature="sv")
1948
1574
def PropertyChanged(self, property, value):
1949
1575
"D-Bus signal"
1950
1576
pass
1951
1577
1952
1578
# GotSecret - signal
1953
1579
@dbus.service.signal(_interface)
1954
1580
def GotSecret(self):
1957
1583
server to mandos-client
1958
1584
"""
1959
1585
pass
1960
1586
1961
1587
# Rejected - signal
1962
1588
@dbus.service.signal(_interface, signature="s")
1963
1589
def Rejected(self, reason):
1964
1590
"D-Bus signal"
1965
1591
pass
1966
1592
1967
1593
# NeedApproval - signal
1968
1594
@dbus.service.signal(_interface, signature="tb")
1969
1595
def NeedApproval(self, timeout, default):
1970
1596
"D-Bus signal"
1971
1597
return self.need_approval()
1972
1973
# Methods
1974
1598
1599
## Methods
1600
1975
1601
# Approve - method
1976
1602
@dbus.service.method(_interface, in_signature="b")
1977
1603
def Approve(self, value):
1978
1604
self.approve(value)
1979
1605
1980
1606
# CheckedOK - method
1981
1607
@dbus.service.method(_interface)
1982
1608
def CheckedOK(self):
1983
1609
self.checked_ok()
1984
1610
1985
1611
# Enable - method
1986
1612
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1987
1613
@dbus.service.method(_interface)
1988
1614
def Enable(self):
1989
1615
"D-Bus method"
1990
1616
self.enable()
1991
1617
1992
1618
# StartChecker - method
1993
1619
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1994
1620
@dbus.service.method(_interface)
1995
1621
def StartChecker(self):
1996
1622
"D-Bus method"
1997
1623
self.start_checker()
1998
1624
1999
1625
# Disable - method
2000
1626
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2001
1627
@dbus.service.method(_interface)
2002
1628
def Disable(self):
2003
1629
"D-Bus method"
2004
1630
self.disable()
2005
1631
2006
1632
# StopChecker - method
2007
1633
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2008
1634
@dbus.service.method(_interface)
2009
1635
def StopChecker(self):
2010
1636
self.stop_checker()
2011
2012
# Properties
2013
1637
1638
## Properties
1639
2014
1640
# ApprovalPending - property
2015
1641
@dbus_service_property(_interface, signature="b", access="read")
2016
1642
def ApprovalPending_dbus_property(self):
2017
1643
return dbus.Boolean(bool(self.approvals_pending))
2018
1644
2019
1645
# ApprovedByDefault - property
2020
1646
@dbus_service_property(_interface,
2021
1647
signature="b",
2024
1650
if value is None: # get
2025
1651
return dbus.Boolean(self.approved_by_default)
2026
1652
self.approved_by_default = bool(value)
2027
1653
2028
1654
# ApprovalDelay - property
2029
1655
@dbus_service_property(_interface,
2030
1656
signature="t",
2034
1660
return dbus.UInt64(self.approval_delay.total_seconds()
2035
1661
* 1000)
2036
1662
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2037
1663
2038
1664
# ApprovalDuration - property
2039
1665
@dbus_service_property(_interface,
2040
1666
signature="t",
2044
1670
return dbus.UInt64(self.approval_duration.total_seconds()
2045
1671
* 1000)
2046
1672
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2047
1673
2048
1674
# Name - property
2049
1675
@dbus_annotations(
2050
1676
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2051
1677
@dbus_service_property(_interface, signature="s", access="read")
2052
1678
def Name_dbus_property(self):
2053
1679
return dbus.String(self.name)
2054
2055
# KeyID - property
2056
@dbus_annotations(
2057
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2058
@dbus_service_property(_interface, signature="s", access="read")
2059
def KeyID_dbus_property(self):
2060
return dbus.String(self.key_id)
2061
1680
2062
1681
# Fingerprint - property
2063
1682
@dbus_annotations(
2064
1683
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2065
1684
@dbus_service_property(_interface, signature="s", access="read")
2066
1685
def Fingerprint_dbus_property(self):
2067
1686
return dbus.String(self.fingerprint)
2068
1687
2069
1688
# Host - property
2070
1689
@dbus_service_property(_interface,
2071
1690
signature="s",
2074
1693
if value is None: # get
2075
1694
return dbus.String(self.host)
2076
1695
self.host = str(value)
2077
1696
2078
1697
# Created - property
2079
1698
@dbus_annotations(
2080
1699
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2081
1700
@dbus_service_property(_interface, signature="s", access="read")
2082
1701
def Created_dbus_property(self):
2083
1702
return datetime_to_dbus(self.created)
2084
1703
2085
1704
# LastEnabled - property
2086
1705
@dbus_service_property(_interface, signature="s", access="read")
2087
1706
def LastEnabled_dbus_property(self):
2088
1707
return datetime_to_dbus(self.last_enabled)
2089
1708
2090
1709
# Enabled - property
2091
1710
@dbus_service_property(_interface,
2092
1711
signature="b",
2098
1717
self.enable()
2099
1718
else:
2100
1719
self.disable()
2101
1720
2102
1721
# LastCheckedOK - property
2103
1722
@dbus_service_property(_interface,
2104
1723
signature="s",
2108
1727
self.checked_ok()
2109
1728
return
2110
1729
return datetime_to_dbus(self.last_checked_ok)
2111
1730
2112
1731
# LastCheckerStatus - property
2113
1732
@dbus_service_property(_interface, signature="n", access="read")
2114
1733
def LastCheckerStatus_dbus_property(self):
2115
1734
return dbus.Int16(self.last_checker_status)
2116
1735
2117
1736
# Expires - property
2118
1737
@dbus_service_property(_interface, signature="s", access="read")
2119
1738
def Expires_dbus_property(self):
2120
1739
return datetime_to_dbus(self.expires)
2121
1740
2122
1741
# LastApprovalRequest - property
2123
1742
@dbus_service_property(_interface, signature="s", access="read")
2124
1743
def LastApprovalRequest_dbus_property(self):
2125
1744
return datetime_to_dbus(self.last_approval_request)
2126
1745
2127
1746
# Timeout - property
2128
1747
@dbus_service_property(_interface,
2129
1748
signature="t",
2144
1763
if (getattr(self, "disable_initiator_tag", None)
2145
1764
is None):
2146
1765
return
2147
GLib.source_remove(self.disable_initiator_tag)
2148
self.disable_initiator_tag = GLib.timeout_add(
1766
gobject.source_remove(self.disable_initiator_tag)
1767
self.disable_initiator_tag = gobject.timeout_add(
2149
1768
int((self.expires - now).total_seconds() * 1000),
2150
1769
self.disable)
2151
1770
2152
1771
# ExtendedTimeout - property
2153
1772
@dbus_service_property(_interface,
2154
1773
signature="t",
2158
1777
return dbus.UInt64(self.extended_timeout.total_seconds()
2159
1778
* 1000)
2160
1779
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2161
1780
2162
1781
# Interval - property
2163
1782
@dbus_service_property(_interface,
2164
1783
signature="t",
2171
1790
return
2172
1791
if self.enabled:
2173
1792
# Reschedule checker run
2174
GLib.source_remove(self.checker_initiator_tag)
2175
self.checker_initiator_tag = GLib.timeout_add(
1793
gobject.source_remove(self.checker_initiator_tag)
1794
self.checker_initiator_tag = gobject.timeout_add(
2176
1795
value, self.start_checker)
2177
self.start_checker() # Start one now, too
2178
1796
self.start_checker() # Start one now, too
1797
2179
1798
# Checker - property
2180
1799
@dbus_service_property(_interface,
2181
1800
signature="s",
2184
1803
if value is None: # get
2185
1804
return dbus.String(self.checker_command)
2186
1805
self.checker_command = str(value)
2187
1806
2188
1807
# CheckerRunning - property
2189
1808
@dbus_service_property(_interface,
2190
1809
signature="b",
2196
1815
self.start_checker()
2197
1816
else:
2198
1817
self.stop_checker()
2199
1818
2200
1819
# ObjectPath - property
2201
1820
@dbus_annotations(
2202
1821
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2203
1822
"org.freedesktop.DBus.Deprecated": "true"})
2204
1823
@dbus_service_property(_interface, signature="o", access="read")
2205
1824
def ObjectPath_dbus_property(self):
2206
return self.dbus_object_path # is already a dbus.ObjectPath
2207
1825
return self.dbus_object_path # is already a dbus.ObjectPath
1826
2208
1827
# Secret = property
2209
1828
@dbus_annotations(
2210
1829
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2215
1834
byte_arrays=True)
2216
1835
def Secret_dbus_property(self, value):
2217
1836
self.secret = bytes(value)
2218
1837
2219
1838
del _interface
2220
1839
2221
1840
2222
1841
class ProxyClient(object):
2223
def __init__(self, child_pipe, key_id, fpr, address):
1842
def __init__(self, child_pipe, fpr, address):
2224
1843
self._pipe = child_pipe
2225
self._pipe.send(('init', key_id, fpr, address))
1844
self._pipe.send(('init', fpr, address))
2226
1845
if not self._pipe.recv():
2227
raise KeyError(key_id or fpr)
2228
1846
raise KeyError(fpr)
1847
2229
1848
def __getattribute__(self, name):
2230
1849
if name == '_pipe':
2231
1850
return super(ProxyClient, self).__getattribute__(name)
2234
1853
if data[0] == 'data':
2235
1854
return data[1]
2236
1855
if data[0] == 'function':
2237
1856
2238
1857
def func(*args, **kwargs):
2239
1858
self._pipe.send(('funcall', name, args, kwargs))
2240
1859
return self._pipe.recv()[1]
2241
1860
2242
1861
return func
2243
1862
2244
1863
def __setattr__(self, name, value):
2245
1864
if name == '_pipe':
2246
1865
return super(ProxyClient, self).__setattr__(name, value)
2249
1868
2250
1869
class ClientHandler(socketserver.BaseRequestHandler, object):
2251
1870
"""A class to handle client connections.
2252
1871
2253
1872
Instantiated once for each connection to handle it.
2254
1873
Note: This will run in its own forked process."""
2255
1874
2256
1875
def handle(self):
2257
1876
with contextlib.closing(self.server.child_pipe) as child_pipe:
2258
1877
logger.info("TCP connection from: %s",
2259
1878
str(self.client_address))
2260
1879
logger.debug("Pipe FD: %d",
2261
1880
self.server.child_pipe.fileno())
2262
2263
session = gnutls.ClientSession(self.request)
2264
2265
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2266
# "+AES-256-CBC", "+SHA1",
2267
# "+COMP-NULL", "+CTYPE-OPENPGP",
2268
# "+DHE-DSS"))
1881
1882
session = gnutls.connection.ClientSession(
1883
self.request, gnutls.connection.X509Credentials())
1884
1885
# Note: gnutls.connection.X509Credentials is really a
1886
# generic GnuTLS certificate credentials object so long as
1887
# no X.509 keys are added to it. Therefore, we can use it
1888
# here despite using OpenPGP certificates.
1889
1890
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1891
# "+AES-256-CBC", "+SHA1",
1892
# "+COMP-NULL", "+CTYPE-OPENPGP",
1893
# "+DHE-DSS"))
2269
1894
# Use a fallback default, since this MUST be set.
2270
1895
priority = self.server.gnutls_priority
2271
1896
if priority is None:
2272
1897
priority = "NORMAL"
2273
gnutls.priority_set_direct(session._c_object,
2274
priority.encode("utf-8"),
2275
None)
2276
1898
gnutls.library.functions.gnutls_priority_set_direct(
1899
session._c_object, priority, None)
1900
2277
1901
# Start communication using the Mandos protocol
2278
1902
# Get protocol number
2279
1903
line = self.request.makefile().readline()
2284
1908
except (ValueError, IndexError, RuntimeError) as error:
2285
1909
logger.error("Unknown protocol version: %s", error)
2286
1910
return
2287
1911
2288
1912
# Start GnuTLS connection
2289
1913
try:
2290
1914
session.handshake()
2291
except gnutls.Error as error:
1915
except gnutls.errors.GNUTLSError as error:
2292
1916
logger.warning("Handshake failed: %s", error)
2293
1917
# Do not run session.bye() here: the session is not
2294
1918
# established. Just abandon the request.
2295
1919
return
2296
1920
logger.debug("Handshake succeeded")
2297
1921
2298
1922
approval_required = False
2299
1923
try:
2300
if gnutls.has_rawpk:
2301
fpr = ""
2302
try:
2303
key_id = self.key_id(
2304
self.peer_certificate(session))
2305
except (TypeError, gnutls.Error) as error:
2306
logger.warning("Bad certificate: %s", error)
2307
return
2308
logger.debug("Key ID: %s", key_id)
2309
2310
else:
2311
key_id = ""
2312
try:
2313
fpr = self.fingerprint(
2314
self.peer_certificate(session))
2315
except (TypeError, gnutls.Error) as error:
2316
logger.warning("Bad certificate: %s", error)
2317
return
2318
logger.debug("Fingerprint: %s", fpr)
2319
2320
try:
2321
client = ProxyClient(child_pipe, key_id, fpr,
1924
try:
1925
fpr = self.fingerprint(
1926
self.peer_certificate(session))
1927
except (TypeError,
1928
gnutls.errors.GNUTLSError) as error:
1929
logger.warning("Bad certificate: %s", error)
1930
return
1931
logger.debug("Fingerprint: %s", fpr)
1932
1933
try:
1934
client = ProxyClient(child_pipe, fpr,
2322
1935
self.client_address)
2323
1936
except KeyError:
2324
1937
return
2325
1938
2326
1939
if client.approval_delay:
2327
1940
delay = client.approval_delay
2328
1941
client.approvals_pending += 1
2329
1942
approval_required = True
2330
1943
2331
1944
while True:
2332
1945
if not client.enabled:
2333
1946
logger.info("Client %s is disabled",
2336
1949
# Emit D-Bus signal
2337
1950
client.Rejected("Disabled")
2338
1951
return
2339
1952
2340
1953
if client.approved or not client.approval_delay:
2341
# We are approved or approval is disabled
1954
#We are approved or approval is disabled
2342
1955
break
2343
1956
elif client.approved is None:
2344
1957
logger.info("Client %s needs approval",
2355
1968
# Emit D-Bus signal
2356
1969
client.Rejected("Denied")
2357
1970
return
2358
2359
# wait until timeout or approved
1971
1972
#wait until timeout or approved
2360
1973
time = datetime.datetime.now()
2361
1974
client.changedstate.acquire()
2362
1975
client.changedstate.wait(delay.total_seconds())
2375
1988
break
2376
1989
else:
2377
1990
delay -= time2 - time
2378
2379
try:
2380
session.send(client.secret)
2381
except gnutls.Error as error:
2382
logger.warning("gnutls send failed",
2383
exc_info=error)
2384
return
2385
1991
1992
sent_size = 0
1993
while sent_size < len(client.secret):
1994
try:
1995
sent = session.send(client.secret[sent_size:])
1996
except gnutls.errors.GNUTLSError as error:
1997
logger.warning("gnutls send failed",
1998
exc_info=error)
1999
return
2000
logger.debug("Sent: %d, remaining: %d", sent,
2001
len(client.secret) - (sent_size
2002
+ sent))
2003
sent_size += sent
2004
2386
2005
logger.info("Sending secret to %s", client.name)
2387
2006
# bump the timeout using extended_timeout
2388
2007
client.bump_timeout(client.extended_timeout)
2389
2008
if self.server.use_dbus:
2390
2009
# Emit D-Bus signal
2391
2010
client.GotSecret()
2392
2011
2393
2012
finally:
2394
2013
if approval_required:
2395
2014
client.approvals_pending -= 1
2396
2015
try:
2397
2016
session.bye()
2398
except gnutls.Error as error:
2017
except gnutls.errors.GNUTLSError as error:
2399
2018
logger.warning("GnuTLS bye failed",
2400
2019
exc_info=error)
2401
2020
2402
2021
@staticmethod
2403
2022
def peer_certificate(session):
2404
"Return the peer's certificate as a bytestring"
2405
try:
2406
cert_type = gnutls.certificate_type_get2(session._c_object,
2407
gnutls.CTYPE_PEERS)
2408
except AttributeError:
2409
cert_type = gnutls.certificate_type_get(session._c_object)
2410
if gnutls.has_rawpk:
2411
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2412
else:
2413
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2414
# If not a valid certificate type...
2415
if cert_type not in valid_cert_types:
2416
logger.info("Cert type %r not in %r", cert_type,
2417
valid_cert_types)
2418
# ...return invalid data
2419
return b""
2023
"Return the peer's OpenPGP certificate as a bytestring"
2024
# If not an OpenPGP certificate...
2025
if (gnutls.library.functions.gnutls_certificate_type_get(
2026
session._c_object)
2027
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2028
# ...do the normal thing
2029
return session.peer_certificate
2420
2030
list_size = ctypes.c_uint(1)
2421
cert_list = (gnutls.certificate_get_peers
2031
cert_list = (gnutls.library.functions
2032
.gnutls_certificate_get_peers
2422
2033
(session._c_object, ctypes.byref(list_size)))
2423
2034
if not bool(cert_list) and list_size.value != 0:
2424
raise gnutls.Error("error getting peer certificate")
2035
raise gnutls.errors.GNUTLSError("error getting peer"
2036
" certificate")
2425
2037
if list_size.value == 0:
2426
2038
return None
2427
2039
cert = cert_list[0]
2428
2040
return ctypes.string_at(cert.data, cert.size)
2429
2430
@staticmethod
2431
def key_id(certificate):
2432
"Convert a certificate bytestring to a hexdigit key ID"
2433
# New GnuTLS "datum" with the public key
2434
datum = gnutls.datum_t(
2435
ctypes.cast(ctypes.c_char_p(certificate),
2436
ctypes.POINTER(ctypes.c_ubyte)),
2437
ctypes.c_uint(len(certificate)))
2438
# XXX all these need to be created in the gnutls "module"
2439
# New empty GnuTLS certificate
2440
pubkey = gnutls.pubkey_t()
2441
gnutls.pubkey_init(ctypes.byref(pubkey))
2442
# Import the raw public key into the certificate
2443
gnutls.pubkey_import(pubkey,
2444
ctypes.byref(datum),
2445
gnutls.X509_FMT_DER)
2446
# New buffer for the key ID
2447
buf = ctypes.create_string_buffer(32)
2448
buf_len = ctypes.c_size_t(len(buf))
2449
# Get the key ID from the raw public key into the buffer
2450
gnutls.pubkey_get_key_id(pubkey,
2451
gnutls.KEYID_USE_SHA256,
2452
ctypes.cast(ctypes.byref(buf),
2453
ctypes.POINTER(ctypes.c_ubyte)),
2454
ctypes.byref(buf_len))
2455
# Deinit the certificate
2456
gnutls.pubkey_deinit(pubkey)
2457
2458
# Convert the buffer to a Python bytestring
2459
key_id = ctypes.string_at(buf, buf_len.value)
2460
# Convert the bytestring to hexadecimal notation
2461
hex_key_id = binascii.hexlify(key_id).upper()
2462
return hex_key_id
2463
2041
2464
2042
@staticmethod
2465
2043
def fingerprint(openpgp):
2466
2044
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2467
2045
# New GnuTLS "datum" with the OpenPGP public key
2468
datum = gnutls.datum_t(
2046
datum = gnutls.library.types.gnutls_datum_t(
2469
2047
ctypes.cast(ctypes.c_char_p(openpgp),
2470
2048
ctypes.POINTER(ctypes.c_ubyte)),
2471
2049
ctypes.c_uint(len(openpgp)))
2472
2050
# New empty GnuTLS certificate
2473
crt = gnutls.openpgp_crt_t()
2474
gnutls.openpgp_crt_init(ctypes.byref(crt))
2051
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2052
gnutls.library.functions.gnutls_openpgp_crt_init(
2053
ctypes.byref(crt))
2475
2054
# Import the OpenPGP public key into the certificate
2476
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2477
gnutls.OPENPGP_FMT_RAW)
2055
gnutls.library.functions.gnutls_openpgp_crt_import(
2056
crt, ctypes.byref(datum),
2057
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2478
2058
# Verify the self signature in the key
2479
2059
crtverify = ctypes.c_uint()
2480
gnutls.openpgp_crt_verify_self(crt, 0,
2481
ctypes.byref(crtverify))
2060
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2061
crt, 0, ctypes.byref(crtverify))
2482
2062
if crtverify.value != 0:
2483
gnutls.openpgp_crt_deinit(crt)
2484
raise gnutls.CertificateSecurityError(code
2485
=crtverify.value)
2063
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2064
raise gnutls.errors.CertificateSecurityError(
2065
"Verify failed")
2486
2066
# New buffer for the fingerprint
2487
2067
buf = ctypes.create_string_buffer(20)
2488
2068
buf_len = ctypes.c_size_t()
2489
2069
# Get the fingerprint from the certificate into the buffer
2490
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2491
ctypes.byref(buf_len))
2070
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2071
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2492
2072
# Deinit the certificate
2493
gnutls.openpgp_crt_deinit(crt)
2073
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2494
2074
# Convert the buffer to a Python bytestring
2495
2075
fpr = ctypes.string_at(buf, buf_len.value)
2496
2076
# Convert the bytestring to hexadecimal notation
2500
2080
2501
2081
class MultiprocessingMixIn(object):
2502
2082
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2503
2083
2504
2084
def sub_process_main(self, request, address):
2505
2085
try:
2506
2086
self.finish_request(request, address)
2507
2087
except Exception:
2508
2088
self.handle_error(request, address)
2509
2089
self.close_request(request)
2510
2090
2511
2091
def process_request(self, request, address):
2512
2092
"""Start a new process to process the request."""
2513
proc = multiprocessing.Process(target=self.sub_process_main,
2514
args=(request, address))
2093
proc = multiprocessing.Process(target = self.sub_process_main,
2094
args = (request, address))
2515
2095
proc.start()
2516
2096
return proc
2517
2097
2518
2098
2519
2099
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2520
2100
""" adds a pipe to the MixIn """
2521
2101
2522
2102
def process_request(self, request, client_address):
2523
2103
"""Overrides and wraps the original process_request().
2524
2104
2525
2105
This function creates a new pipe in self.pipe
2526
2106
"""
2527
2107
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2528
2108
2529
2109
proc = MultiprocessingMixIn.process_request(self, request,
2530
2110
client_address)
2531
2111
self.child_pipe.close()
2532
2112
self.add_pipe(parent_pipe, proc)
2533
2113
2534
2114
def add_pipe(self, parent_pipe, proc):
2535
2115
"""Dummy function; override as necessary"""
2536
2116
raise NotImplementedError()
2539
2119
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2540
2120
socketserver.TCPServer, object):
2541
2121
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2542
2122
2543
2123
Attributes:
2544
2124
enabled: Boolean; whether this server is activated yet
2545
2125
interface: None or a network interface name (string)
2546
2126
use_ipv6: Boolean; to use IPv6 or not
2547
2127
"""
2548
2128
2549
2129
def __init__(self, server_address, RequestHandlerClass,
2550
2130
interface=None,
2551
2131
use_ipv6=True,
2561
2141
self.socketfd = socketfd
2562
2142
# Save the original socket.socket() function
2563
2143
self.socket_socket = socket.socket
2564
2565
2144
# To implement --socket, we monkey patch socket.socket.
2566
#
2145
#
2567
2146
# (When socketserver.TCPServer is a new-style class, we
2568
2147
# could make self.socket into a property instead of monkey
2569
2148
# patching socket.socket.)
2570
#
2149
#
2571
2150
# Create a one-time-only replacement for socket.socket()
2572
2151
@functools.wraps(socket.socket)
2573
2152
def socket_wrapper(*args, **kwargs):
2585
2164
# socket_wrapper(), if socketfd was set.
2586
2165
socketserver.TCPServer.__init__(self, server_address,
2587
2166
RequestHandlerClass)
2588
2167
2589
2168
def server_bind(self):
2590
2169
"""This overrides the normal server_bind() function
2591
2170
to bind to an interface if one was specified, and also NOT to
2592
2171
bind to an address or port if they were not specified."""
2593
global SO_BINDTODEVICE
2594
2172
if self.interface is not None:
2595
2173
if SO_BINDTODEVICE is None:
2596
# Fall back to a hard-coded value which seems to be
2597
# common enough.
2598
logger.warning("SO_BINDTODEVICE not found, trying 25")
2599
SO_BINDTODEVICE = 25
2600
try:
2601
self.socket.setsockopt(
2602
socket.SOL_SOCKET, SO_BINDTODEVICE,
2603
(self.interface + "\0").encode("utf-8"))
2604
except socket.error as error:
2605
if error.errno == errno.EPERM:
2606
logger.error("No permission to bind to"
2607
" interface %s", self.interface)
2608
elif error.errno == errno.ENOPROTOOPT:
2609
logger.error("SO_BINDTODEVICE not available;"
2610
" cannot bind to interface %s",
2611
self.interface)
2612
elif error.errno == errno.ENODEV:
2613
logger.error("Interface %s does not exist,"
2614
" cannot bind", self.interface)
2615
else:
2616
raise
2174
logger.error("SO_BINDTODEVICE does not exist;"
2175
" cannot bind to interface %s",
2176
self.interface)
2177
else:
2178
try:
2179
self.socket.setsockopt(
2180
socket.SOL_SOCKET, SO_BINDTODEVICE,
2181
(self.interface + "\0").encode("utf-8"))
2182
except socket.error as error:
2183
if error.errno == errno.EPERM:
2184
logger.error("No permission to bind to"
2185
" interface %s", self.interface)
2186
elif error.errno == errno.ENOPROTOOPT:
2187
logger.error("SO_BINDTODEVICE not available;"
2188
" cannot bind to interface %s",
2189
self.interface)
2190
elif error.errno == errno.ENODEV:
2191
logger.error("Interface %s does not exist,"
2192
" cannot bind", self.interface)
2193
else:
2194
raise
2617
2195
# Only bind(2) the socket if we really need to.
2618
2196
if self.server_address[0] or self.server_address[1]:
2619
2197
if not self.server_address[0]:
2620
2198
if self.address_family == socket.AF_INET6:
2621
any_address = "::" # in6addr_any
2199
any_address = "::" # in6addr_any
2622
2200
else:
2623
any_address = "0.0.0.0" # INADDR_ANY
2201
any_address = "0.0.0.0" # INADDR_ANY
2624
2202
self.server_address = (any_address,
2625
2203
self.server_address[1])
2626
2204
elif not self.server_address[1]:
2636
2214
2637
2215
class MandosServer(IPv6_TCPServer):
2638
2216
"""Mandos server.
2639
2217
2640
2218
Attributes:
2641
2219
clients: set of Client objects
2642
2220
gnutls_priority GnuTLS priority string
2643
2221
use_dbus: Boolean; to emit D-Bus signals or not
2644
2645
Assumes a GLib.MainLoop event loop.
2222
2223
Assumes a gobject.MainLoop event loop.
2646
2224
"""
2647
2225
2648
2226
def __init__(self, server_address, RequestHandlerClass,
2649
2227
interface=None,
2650
2228
use_ipv6=True,
2660
2238
self.gnutls_priority = gnutls_priority
2661
2239
IPv6_TCPServer.__init__(self, server_address,
2662
2240
RequestHandlerClass,
2663
interface=interface,
2664
use_ipv6=use_ipv6,
2665
socketfd=socketfd)
2666
2241
interface = interface,
2242
use_ipv6 = use_ipv6,
2243
socketfd = socketfd)
2244
2667
2245
def server_activate(self):
2668
2246
if self.enabled:
2669
2247
return socketserver.TCPServer.server_activate(self)
2670
2248
2671
2249
def enable(self):
2672
2250
self.enabled = True
2673
2251
2674
2252
def add_pipe(self, parent_pipe, proc):
2675
2253
# Call "handle_ipc" for both data and EOF events
2676
GLib.io_add_watch(
2254
gobject.io_add_watch(
2677
2255
parent_pipe.fileno(),
2678
GLib.IO_IN | GLib.IO_HUP,
2256
gobject.IO_IN | gobject.IO_HUP,
2679
2257
functools.partial(self.handle_ipc,
2680
parent_pipe=parent_pipe,
2681
proc=proc))
2682
2258
parent_pipe = parent_pipe,
2259
proc = proc))
2260
2683
2261
def handle_ipc(self, source, condition,
2684
2262
parent_pipe=None,
2685
proc=None,
2263
proc = None,
2686
2264
client_object=None):
2687
2265
# error, or the other end of multiprocessing.Pipe has closed
2688
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2266
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2689
2267
# Wait for other process to exit
2690
2268
proc.join()
2691
2269
return False
2692
2270
2693
2271
# Read a request from the child
2694
2272
request = parent_pipe.recv()
2695
2273
command = request[0]
2696
2274
2697
2275
if command == 'init':
2698
key_id = request[1].decode("ascii")
2699
fpr = request[2].decode("ascii")
2700
address = request[3]
2701
2702
for c in self.clients.values():
2703
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2704
continue
2705
if key_id and c.key_id == key_id:
2706
client = c
2707
break
2708
if fpr and c.fingerprint == fpr:
2276
fpr = request[1]
2277
address = request[2]
2278
2279
for c in self.clients.itervalues():
2280
if c.fingerprint == fpr:
2709
2281
client = c
2710
2282
break
2711
2283
else:
2712
logger.info("Client not found for key ID: %s, address"
2713
": %s", key_id or fpr, address)
2284
logger.info("Client not found for fingerprint: %s, ad"
2285
"dress: %s", fpr, address)
2714
2286
if self.use_dbus:
2715
2287
# Emit D-Bus signal
2716
mandos_dbus_service.ClientNotFound(key_id or fpr,
2288
mandos_dbus_service.ClientNotFound(fpr,
2717
2289
address[0])
2718
2290
parent_pipe.send(False)
2719
2291
return False
2720
2721
GLib.io_add_watch(
2292
2293
gobject.io_add_watch(
2722
2294
parent_pipe.fileno(),
2723
GLib.IO_IN | GLib.IO_HUP,
2295
gobject.IO_IN | gobject.IO_HUP,
2724
2296
functools.partial(self.handle_ipc,
2725
parent_pipe=parent_pipe,
2726
proc=proc,
2727
client_object=client))
2297
parent_pipe = parent_pipe,
2298
proc = proc,
2299
client_object = client))
2728
2300
parent_pipe.send(True)
2729
2301
# remove the old hook in favor of the new above hook on
2730
2302
# same fileno
2733
2305
funcname = request[1]
2734
2306
args = request[2]
2735
2307
kwargs = request[3]
2736
2308
2737
2309
parent_pipe.send(('data', getattr(client_object,
2738
2310
funcname)(*args,
2739
2311
**kwargs)))
2740
2312
2741
2313
if command == 'getattr':
2742
2314
attrname = request[1]
2743
2315
if isinstance(client_object.__getattribute__(attrname),
2746
2318
else:
2747
2319
parent_pipe.send((
2748
2320
'data', client_object.__getattribute__(attrname)))
2749
2321
2750
2322
if command == 'setattr':
2751
2323
attrname = request[1]
2752
2324
value = request[2]
2753
2325
setattr(client_object, attrname, value)
2754
2326
2755
2327
return True
2756
2328
2757
2329
2758
2330
def rfc3339_duration_to_delta(duration):
2759
2331
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2760
2332
2761
2333
>>> rfc3339_duration_to_delta("P7D")
2762
2334
datetime.timedelta(7)
2763
2335
>>> rfc3339_duration_to_delta("PT60S")
2773
2345
>>> rfc3339_duration_to_delta("P1DT3M20S")
2774
2346
datetime.timedelta(1, 200)
2775
2347
"""
2776
2348
2777
2349
# Parsing an RFC 3339 duration with regular expressions is not
2778
2350
# possible - there would have to be multiple places for the same
2779
2351
# values, like seconds. The current code, while more esoteric, is
2780
2352
# cleaner without depending on a parsing library. If Python had a
2781
2353
# built-in library for parsing we would use it, but we'd like to
2782
2354
# avoid excessive use of external libraries.
2783
2355
2784
2356
# New type for defining tokens, syntax, and semantics all-in-one
2785
2357
Token = collections.namedtuple("Token", (
2786
2358
"regexp", # To match token; if "value" is not None, must have
2819
2391
frozenset((token_year, token_month,
2820
2392
token_day, token_time,
2821
2393
token_week)))
2822
# Define starting values:
2823
# Value so far
2824
value = datetime.timedelta()
2394
# Define starting values
2395
value = datetime.timedelta() # Value so far
2825
2396
found_token = None
2826
# Following valid tokens
2827
followers = frozenset((token_duration, ))
2828
# String left to parse
2829
s = duration
2397
followers = frozenset((token_duration, )) # Following valid tokens
2398
s = duration # String left to parse
2830
2399
# Loop until end token is found
2831
2400
while found_token is not token_end:
2832
2401
# Search for any currently valid tokens
2856
2425
2857
2426
def string_to_delta(interval):
2858
2427
"""Parse a string and return a datetime.timedelta
2859
2428
2860
2429
>>> string_to_delta('7d')
2861
2430
datetime.timedelta(7)
2862
2431
>>> string_to_delta('60s')
2870
2439
>>> string_to_delta('5m 30s')
2871
2440
datetime.timedelta(0, 330)
2872
2441
"""
2873
2442
2874
2443
try:
2875
2444
return rfc3339_duration_to_delta(interval)
2876
2445
except ValueError:
2877
2446
pass
2878
2447
2879
2448
timevalue = datetime.timedelta(0)
2880
2449
for s in interval.split():
2881
2450
try:
2899
2468
return timevalue
2900
2469
2901
2470
2902
def daemon(nochdir=False, noclose=False):
2471
def daemon(nochdir = False, noclose = False):
2903
2472
"""See daemon(3). Standard BSD Unix function.
2904
2473
2905
2474
This should really exist as os.daemon, but it doesn't (yet)."""
2906
2475
if os.fork():
2907
2476
sys.exit()
2925
2494
2926
2495
2927
2496
def main():
2928
2497
2929
2498
##################################################################
2930
2499
# Parsing of options, both command line and config file
2931
2500
2932
2501
parser = argparse.ArgumentParser()
2933
2502
parser.add_argument("-v", "--version", action="version",
2934
version="%(prog)s {}".format(version),
2503
version = "%(prog)s {}".format(version),
2935
2504
help="show version number and exit")
2936
2505
parser.add_argument("-i", "--interface", metavar="IF",
2937
2506
help="Bind to interface IF")
2973
2542
parser.add_argument("--no-zeroconf", action="store_false",
2974
2543
dest="zeroconf", help="Do not use Zeroconf",
2975
2544
default=None)
2976
2545
2977
2546
options = parser.parse_args()
2978
2547
2979
2548
if options.check:
2980
2549
import doctest
2981
2550
fail_count, test_count = doctest.testmod()
2982
2551
sys.exit(os.EX_OK if fail_count == 0 else 1)
2983
2552
2984
2553
# Default values for config file for server-global settings
2985
if gnutls.has_rawpk:
2986
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2987
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2988
else:
2989
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2990
":+SIGN-DSA-SHA256")
2991
server_defaults = {"interface": "",
2992
"address": "",
2993
"port": "",
2994
"debug": "False",
2995
"priority": priority,
2996
"servicename": "Mandos",
2997
"use_dbus": "True",
2998
"use_ipv6": "True",
2999
"debuglevel": "",
3000
"restore": "True",
3001
"socket": "",
3002
"statedir": "/var/lib/mandos",
3003
"foreground": "False",
3004
"zeroconf": "True",
3005
}
3006
del priority
3007
2554
server_defaults = { "interface": "",
2555
"address": "",
2556
"port": "",
2557
"debug": "False",
2558
"priority":
2559
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2560
":+SIGN-DSA-SHA256",
2561
"servicename": "Mandos",
2562
"use_dbus": "True",
2563
"use_ipv6": "True",
2564
"debuglevel": "",
2565
"restore": "True",
2566
"socket": "",
2567
"statedir": "/var/lib/mandos",
2568
"foreground": "False",
2569
"zeroconf": "True",
2570
}
2571
3008
2572
# Parse config file for server-global settings
3009
2573
server_config = configparser.SafeConfigParser(server_defaults)
3010
2574
del server_defaults
3012
2576
# Convert the SafeConfigParser object to a dict
3013
2577
server_settings = server_config.defaults()
3014
2578
# Use the appropriate methods on the non-string config options
3015
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3016
"foreground", "zeroconf"):
2579
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3017
2580
server_settings[option] = server_config.getboolean("DEFAULT",
3018
2581
option)
3019
2582
if server_settings["port"]:
3029
2592
server_settings["socket"] = os.dup(server_settings
3030
2593
["socket"])
3031
2594
del server_config
3032
2595
3033
2596
# Override the settings from the config file with command line
3034
2597
# options, if set.
3035
2598
for option in ("interface", "address", "port", "debug",
3053
2616
if server_settings["debug"]:
3054
2617
server_settings["foreground"] = True
3055
2618
# Now we have our good server settings in "server_settings"
3056
2619
3057
2620
##################################################################
3058
2621
3059
2622
if (not server_settings["zeroconf"]
3060
2623
and not (server_settings["port"]
3061
2624
or server_settings["socket"] != "")):
3062
2625
parser.error("Needs port or socket to work without Zeroconf")
3063
2626
3064
2627
# For convenience
3065
2628
debug = server_settings["debug"]
3066
2629
debuglevel = server_settings["debuglevel"]
3070
2633
stored_state_file)
3071
2634
foreground = server_settings["foreground"]
3072
2635
zeroconf = server_settings["zeroconf"]
3073
2636
3074
2637
if debug:
3075
2638
initlogger(debug, logging.DEBUG)
3076
2639
else:
3079
2642
else:
3080
2643
level = getattr(logging, debuglevel.upper())
3081
2644
initlogger(debug, level)
3082
2645
3083
2646
if server_settings["servicename"] != "Mandos":
3084
2647
syslogger.setFormatter(
3085
2648
logging.Formatter('Mandos ({}) [%(process)d]:'
3086
2649
' %(levelname)s: %(message)s'.format(
3087
2650
server_settings["servicename"])))
3088
2651
3089
2652
# Parse config file with clients
3090
2653
client_config = configparser.SafeConfigParser(Client
3091
2654
.client_defaults)
3092
2655
client_config.read(os.path.join(server_settings["configdir"],
3093
2656
"clients.conf"))
3094
2657
3095
2658
global mandos_dbus_service
3096
2659
mandos_dbus_service = None
3097
2660
3098
2661
socketfd = None
3099
2662
if server_settings["socket"] != "":
3100
2663
socketfd = server_settings["socket"]
3116
2679
except IOError as e:
3117
2680
logger.error("Could not open file %r", pidfilename,
3118
2681
exc_info=e)
3119
3120
for name, group in (("_mandos", "_mandos"),
3121
("mandos", "mandos"),
3122
("nobody", "nogroup")):
2682
2683
for name in ("_mandos", "mandos", "nobody"):
3123
2684
try:
3124
2685
uid = pwd.getpwnam(name).pw_uid
3125
gid = pwd.getpwnam(group).pw_gid
2686
gid = pwd.getpwnam(name).pw_gid
3126
2687
break
3127
2688
except KeyError:
3128
2689
continue
3132
2693
try:
3133
2694
os.setgid(gid)
3134
2695
os.setuid(uid)
3135
if debug:
3136
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3137
gid))
3138
2696
except OSError as error:
3139
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3140
.format(uid, gid, os.strerror(error.errno)))
3141
2697
if error.errno != errno.EPERM:
3142
2698
raise
3143
2699
3144
2700
if debug:
3145
2701
# Enable all possible GnuTLS debugging
3146
2702
3147
2703
# "Use a log level over 10 to enable all debugging options."
3148
2704
# - GnuTLS manual
3149
gnutls.global_set_log_level(11)
3150
3151
@gnutls.log_func
2705
gnutls.library.functions.gnutls_global_set_log_level(11)
2706
2707
@gnutls.library.types.gnutls_log_func
3152
2708
def debug_gnutls(level, string):
3153
2709
logger.debug("GnuTLS: %s", string[:-1])
3154
3155
gnutls.global_set_log_function(debug_gnutls)
3156
2710
2711
gnutls.library.functions.gnutls_global_set_log_function(
2712
debug_gnutls)
2713
3157
2714
# Redirect stdin so all checkers get /dev/null
3158
2715
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3159
2716
os.dup2(null, sys.stdin.fileno())
3160
2717
if null > 2:
3161
2718
os.close(null)
3162
2719
3163
2720
# Need to fork before connecting to D-Bus
3164
2721
if not foreground:
3165
2722
# Close all input and output, do double fork, etc.
3166
2723
daemon()
3167
3168
# multiprocessing will use threads, so before we use GLib we need
3169
# to inform GLib that threads will be used.
3170
GLib.threads_init()
3171
2724
2725
# multiprocessing will use threads, so before we use gobject we
2726
# need to inform gobject that threads will be used.
2727
gobject.threads_init()
2728
3172
2729
global main_loop
3173
2730
# From the Avahi example code
3174
2731
DBusGMainLoop(set_as_default=True)
3175
main_loop = GLib.MainLoop()
2732
main_loop = gobject.MainLoop()
3176
2733
bus = dbus.SystemBus()
3177
2734
# End of Avahi example code
3178
2735
if use_dbus:
3191
2748
if zeroconf:
3192
2749
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3193
2750
service = AvahiServiceToSyslog(
3194
name=server_settings["servicename"],
3195
servicetype="_mandos._tcp",
3196
protocol=protocol,
3197
bus=bus)
2751
name = server_settings["servicename"],
2752
servicetype = "_mandos._tcp",
2753
protocol = protocol,
2754
bus = bus)
3198
2755
if server_settings["interface"]:
3199
2756
service.interface = if_nametoindex(
3200
2757
server_settings["interface"].encode("utf-8"))
3201
2758
3202
2759
global multiprocessing_manager
3203
2760
multiprocessing_manager = multiprocessing.Manager()
3204
2761
3205
2762
client_class = Client
3206
2763
if use_dbus:
3207
client_class = functools.partial(ClientDBus, bus=bus)
3208
2764
client_class = functools.partial(ClientDBus, bus = bus)
2765
3209
2766
client_settings = Client.config_parser(client_config)
3210
2767
old_client_settings = {}
3211
2768
clients_data = {}
3212
2769
3213
2770
# This is used to redirect stdout and stderr for checker processes
3214
2771
global wnull
3215
wnull = open(os.devnull, "w") # A writable /dev/null
2772
wnull = open(os.devnull, "w") # A writable /dev/null
3216
2773
# Only used if server is running in foreground but not in debug
3217
2774
# mode
3218
2775
if debug or not foreground:
3219
2776
wnull.close()
3220
2777
3221
2778
# Get client data and settings from last running state.
3222
2779
if server_settings["restore"]:
3223
2780
try:
3224
2781
with open(stored_state_path, "rb") as stored_state:
3225
if sys.version_info.major == 2:
3226
clients_data, old_client_settings = pickle.load(
3227
stored_state)
3228
else:
3229
bytes_clients_data, bytes_old_client_settings = (
3230
pickle.load(stored_state, encoding="bytes"))
3231
# Fix bytes to strings
3232
# clients_data
3233
# .keys()
3234
clients_data = {(key.decode("utf-8")
3235
if isinstance(key, bytes)
3236
else key): value
3237
for key, value in
3238
bytes_clients_data.items()}
3239
del bytes_clients_data
3240
for key in clients_data:
3241
value = {(k.decode("utf-8")
3242
if isinstance(k, bytes) else k): v
3243
for k, v in
3244
clients_data[key].items()}
3245
clients_data[key] = value
3246
# .client_structure
3247
value["client_structure"] = [
3248
(s.decode("utf-8")
3249
if isinstance(s, bytes)
3250
else s) for s in
3251
value["client_structure"]]
3252
# .name & .host
3253
for k in ("name", "host"):
3254
if isinstance(value[k], bytes):
3255
value[k] = value[k].decode("utf-8")
3256
if not value.has_key("key_id"):
3257
value["key_id"] = ""
3258
elif not value.has_key("fingerprint"):
3259
value["fingerprint"] = ""
3260
# old_client_settings
3261
# .keys()
3262
old_client_settings = {
3263
(key.decode("utf-8")
3264
if isinstance(key, bytes)
3265
else key): value
3266
for key, value in
3267
bytes_old_client_settings.items()}
3268
del bytes_old_client_settings
3269
# .host
3270
for value in old_client_settings.values():
3271
if isinstance(value["host"], bytes):
3272
value["host"] = (value["host"]
3273
.decode("utf-8"))
2782
clients_data, old_client_settings = pickle.load(
2783
stored_state)
3274
2784
os.remove(stored_state_path)
3275
2785
except IOError as e:
3276
2786
if e.errno == errno.ENOENT:
3284
2794
logger.warning("Could not load persistent state: "
3285
2795
"EOFError:",
3286
2796
exc_info=e)
3287
2797
3288
2798
with PGPEngine() as pgp:
3289
2799
for client_name, client in clients_data.items():
3290
2800
# Skip removed clients
3291
2801
if client_name not in client_settings:
3292
2802
continue
3293
2803
3294
2804
# Decide which value to use after restoring saved state.
3295
2805
# We have three different values: Old config file,
3296
2806
# new config file, and saved state.
3307
2817
client[name] = value
3308
2818
except KeyError:
3309
2819
pass
3310
2820
3311
2821
# Clients who has passed its expire date can still be
3312
2822
# enabled if its last checker was successful. A Client
3313
2823
# whose checker succeeded before we stored its state is
3346
2856
client_name))
3347
2857
client["secret"] = (client_settings[client_name]
3348
2858
["secret"])
3349
2859
3350
2860
# Add/remove clients based on new changes made to config
3351
2861
for client_name in (set(old_client_settings)
3352
2862
- set(client_settings)):
3354
2864
for client_name in (set(client_settings)
3355
2865
- set(old_client_settings)):
3356
2866
clients_data[client_name] = client_settings[client_name]
3357
2867
3358
2868
# Create all client objects
3359
2869
for client_name, client in clients_data.items():
3360
2870
tcp_server.clients[client_name] = client_class(
3361
name=client_name,
3362
settings=client,
3363
server_settings=server_settings)
3364
2871
name = client_name,
2872
settings = client,
2873
server_settings = server_settings)
2874
3365
2875
if not tcp_server.clients:
3366
2876
logger.warning("No clients defined")
3367
2877
3368
2878
if not foreground:
3369
2879
if pidfile is not None:
3370
2880
pid = os.getpid()
3376
2886
pidfilename, pid)
3377
2887
del pidfile
3378
2888
del pidfilename
3379
3380
for termsig in (signal.SIGHUP, signal.SIGTERM):
3381
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3382
lambda: main_loop.quit() and False)
3383
2889
2890
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2891
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2892
3384
2893
if use_dbus:
3385
2894
3386
2895
@alternate_dbus_interfaces(
3387
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2896
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3388
2897
class MandosDBusService(DBusObjectWithObjectManager):
3389
2898
"""A D-Bus proxy object"""
3390
2899
3391
2900
def __init__(self):
3392
2901
dbus.service.Object.__init__(self, bus, "/")
3393
2902
3394
2903
_interface = "se.recompile.Mandos"
3395
2904
3396
2905
@dbus.service.signal(_interface, signature="o")
3397
2906
def ClientAdded(self, objpath):
3398
2907
"D-Bus signal"
3399
2908
pass
3400
2909
3401
2910
@dbus.service.signal(_interface, signature="ss")
3402
def ClientNotFound(self, key_id, address):
2911
def ClientNotFound(self, fingerprint, address):
3403
2912
"D-Bus signal"
3404
2913
pass
3405
2914
3406
2915
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3407
2916
"true"})
3408
2917
@dbus.service.signal(_interface, signature="os")
3409
2918
def ClientRemoved(self, objpath, name):
3410
2919
"D-Bus signal"
3411
2920
pass
3412
2921
3413
2922
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3414
2923
"true"})
3415
2924
@dbus.service.method(_interface, out_signature="ao")
3416
2925
def GetAllClients(self):
3417
2926
"D-Bus method"
3418
2927
return dbus.Array(c.dbus_object_path for c in
3419
tcp_server.clients.values())
3420
2928
tcp_server.clients.itervalues())
2929
3421
2930
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3422
2931
"true"})
3423
2932
@dbus.service.method(_interface,
3425
2934
def GetAllClientsWithProperties(self):
3426
2935
"D-Bus method"
3427
2936
return dbus.Dictionary(
3428
{c.dbus_object_path: c.GetAll(
2937
{ c.dbus_object_path: c.GetAll(
3429
2938
"se.recompile.Mandos.Client")
3430
for c in tcp_server.clients.values()},
2939
for c in tcp_server.clients.itervalues() },
3431
2940
signature="oa{sv}")
3432
2941
3433
2942
@dbus.service.method(_interface, in_signature="o")
3434
2943
def RemoveClient(self, object_path):
3435
2944
"D-Bus method"
3436
for c in tcp_server.clients.values():
2945
for c in tcp_server.clients.itervalues():
3437
2946
if c.dbus_object_path == object_path:
3438
2947
del tcp_server.clients[c.name]
3439
2948
c.remove_from_connection()
3443
2952
self.client_removed_signal(c)
3444
2953
return
3445
2954
raise KeyError(object_path)
3446
2955
3447
2956
del _interface
3448
2957
3449
2958
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3450
out_signature="a{oa{sa{sv}}}")
2959
out_signature = "a{oa{sa{sv}}}")
3451
2960
def GetManagedObjects(self):
3452
2961
"""D-Bus method"""
3453
2962
return dbus.Dictionary(
3454
{client.dbus_object_path:
3455
dbus.Dictionary(
3456
{interface: client.GetAll(interface)
3457
for interface in
3458
client._get_all_interface_names()})
3459
for client in tcp_server.clients.values()})
3460
2963
{ client.dbus_object_path:
2964
dbus.Dictionary(
2965
{ interface: client.GetAll(interface)
2966
for interface in
2967
client._get_all_interface_names()})
2968
for client in tcp_server.clients.values()})
2969
3461
2970
def client_added_signal(self, client):
3462
2971
"""Send the new standard signal and the old signal"""
3463
2972
if use_dbus:
3465
2974
self.InterfacesAdded(
3466
2975
client.dbus_object_path,
3467
2976
dbus.Dictionary(
3468
{interface: client.GetAll(interface)
3469
for interface in
3470
client._get_all_interface_names()}))
2977
{ interface: client.GetAll(interface)
2978
for interface in
2979
client._get_all_interface_names()}))
3471
2980
# Old signal
3472
2981
self.ClientAdded(client.dbus_object_path)
3473
2982
3474
2983
def client_removed_signal(self, client):
3475
2984
"""Send the new standard signal and the old signal"""
3476
2985
if use_dbus:
3481
2990
# Old signal
3482
2991
self.ClientRemoved(client.dbus_object_path,
3483
2992
client.name)
3484
2993
3485
2994
mandos_dbus_service = MandosDBusService()
3486
3487
# Save modules to variables to exempt the modules from being
3488
# unloaded before the function registered with atexit() is run.
3489
mp = multiprocessing
3490
wn = wnull
3491
2995
3492
2996
def cleanup():
3493
2997
"Cleanup function; run on exit"
3494
2998
if zeroconf:
3495
2999
service.cleanup()
3496
3497
mp.active_children()
3498
wn.close()
3000
3001
multiprocessing.active_children()
3002
wnull.close()
3499
3003
if not (tcp_server.clients or client_settings):
3500
3004
return
3501
3005
3502
3006
# Store client before exiting. Secrets are encrypted with key
3503
3007
# based on what config file has. If config file is
3504
3008
# removed/edited, old secret will thus be unrecovable.
3505
3009
clients = {}
3506
3010
with PGPEngine() as pgp:
3507
for client in tcp_server.clients.values():
3011
for client in tcp_server.clients.itervalues():
3508
3012
key = client_settings[client.name]["secret"]
3509
3013
client.encrypted_secret = pgp.encrypt(client.secret,
3510
3014
key)
3511
3015
client_dict = {}
3512
3016
3513
3017
# A list of attributes that can not be pickled
3514
3018
# + secret.
3515
exclude = {"bus", "changedstate", "secret",
3516
"checker", "server_settings"}
3019
exclude = { "bus", "changedstate", "secret",
3020
"checker", "server_settings" }
3517
3021
for name, typ in inspect.getmembers(dbus.service
3518
3022
.Object):
3519
3023
exclude.add(name)
3520
3024
3521
3025
client_dict["encrypted_secret"] = (client
3522
3026
.encrypted_secret)
3523
3027
for attr in client.client_structure:
3524
3028
if attr not in exclude:
3525
3029
client_dict[attr] = getattr(client, attr)
3526
3030
3527
3031
clients[client.name] = client_dict
3528
3032
del client_settings[client.name]["secret"]
3529
3033
3530
3034
try:
3531
3035
with tempfile.NamedTemporaryFile(
3532
3036
mode='wb',
3534
3038
prefix='clients-',
3535
3039
dir=os.path.dirname(stored_state_path),
3536
3040
delete=False) as stored_state:
3537
pickle.dump((clients, client_settings), stored_state,
3538
protocol=2)
3041
pickle.dump((clients, client_settings), stored_state)
3539
3042
tempname = stored_state.name
3540
3043
os.rename(tempname, stored_state_path)
3541
3044
except (IOError, OSError) as e:
3551
3054
logger.warning("Could not save persistent state:",
3552
3055
exc_info=e)
3553
3056
raise
3554
3057
3555
3058
# Delete all clients, and settings from config
3556
3059
while tcp_server.clients:
3557
3060
name, client = tcp_server.clients.popitem()
3563
3066
if use_dbus:
3564
3067
mandos_dbus_service.client_removed_signal(client)
3565
3068
client_settings.clear()
3566
3069
3567
3070
atexit.register(cleanup)
3568
3569
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3570
3073
if use_dbus:
3571
3074
# Emit D-Bus signal for adding
3572
3075
mandos_dbus_service.client_added_signal(client)
3573
3076
# Need to initiate checking of clients
3574
3077
if client.enabled:
3575
3078
client.init_checker()
3576
3079
3577
3080
tcp_server.enable()
3578
3081
tcp_server.server_activate()
3579
3082
3580
3083
# Find out what port we got
3581
3084
if zeroconf:
3582
3085
service.port = tcp_server.socket.getsockname()[1]
3587
3090
else: # IPv4
3588
3091
logger.info("Now listening on address %r, port %d",
3589
3092
*tcp_server.socket.getsockname())
3590
3591
# service.interface = tcp_server.socket.getsockname()[3]
3592
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3593
3096
try:
3594
3097
if zeroconf:
3595
3098
# From the Avahi example code
3600
3103
cleanup()
3601
3104
sys.exit(1)
3602
3105
# End of Avahi example code
3603
3604
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3605
lambda *args, **kwargs:
3606
(tcp_server.handle_request
3607
(*args[2:], **kwargs) or True))
3608
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3609
3112
logger.debug("Starting main loop")
3610
3113
main_loop.run()
3611
3114
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0