To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 800
- compare with another revision
- download diff
- download tarball
- view history from revision 800
- Committer: Teddy Hogeborn
- Date: 2016-02-21 14:24:01 UTC
- Revision ID: teddy@recompile.se-20160221142401-j7glu6a2hg604d1e
Use AddressSanitizer and UndefinedBehaviorSanitizer.
* Makefile (SANITIZE): New; set to all sanitizing options depending on
GCC version.
(CFLAGS): Added "$(SANITIZE)".
* Makefile (SANITIZE): New; set to all sanitizing options depending on
GCC version.
(CFLAGS): Added "$(SANITIZE)".
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.connection
48
import gnutls.errors
49
import gnutls.library.functions
50
import gnutls.library.constants
51
import gnutls.library.types
51
52
try:
52
53
import ConfigParser as configparser
53
54
except ImportError:
80
81
81
82
import dbus
82
83
import dbus.service
83
import gi
84
from gi.repository import GLib
84
try:
85
import gobject
86
except ImportError:
87
from gi.repository import GObject as gobject
88
import avahi
85
89
from dbus.mainloop.glib import DBusGMainLoop
86
90
import ctypes
87
91
import ctypes.util
88
92
import xml.dom.minidom
89
93
import inspect
90
94
91
# Try to find the value of SO_BINDTODEVICE:
92
95
try:
93
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
94
# newer, and it is also the most natural place for it:
95
96
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
96
97
except AttributeError:
97
98
try:
98
# This is where SO_BINDTODEVICE was up to and including Python
99
# 2.6, and also 3.2:
100
99
from IN import SO_BINDTODEVICE
101
100
except ImportError:
102
# In Python 2.7 it seems to have been removed entirely.
103
# Try running the C preprocessor:
104
try:
105
cc = subprocess.Popen(["cc", "--language=c", "-E",
106
"/dev/stdin"],
107
stdin=subprocess.PIPE,
108
stdout=subprocess.PIPE)
109
stdout = cc.communicate(
110
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
111
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
112
except (OSError, ValueError, IndexError):
113
# No value found
114
SO_BINDTODEVICE = None
101
SO_BINDTODEVICE = None
115
102
116
103
if sys.version_info.major == 2:
117
104
str = unicode
118
105
119
if sys.version_info < (3, 2):
120
configparser.Configparser = configparser.SafeConfigParser
121
122
version = "1.8.6"
106
version = "1.7.1"
123
107
stored_state_file = "clients.pickle"
124
108
125
109
logger = logging.getLogger()
129
113
if_nametoindex = ctypes.cdll.LoadLibrary(
130
114
ctypes.util.find_library("c")).if_nametoindex
131
115
except (OSError, AttributeError):
132
116
133
117
def if_nametoindex(interface):
134
118
"Get an interface index the hard way, i.e. using fcntl()"
135
119
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
140
124
return interface_index
141
125
142
126
143
def copy_function(func):
144
"""Make a copy of a function"""
145
if sys.version_info.major == 2:
146
return types.FunctionType(func.func_code,
147
func.func_globals,
148
func.func_name,
149
func.func_defaults,
150
func.func_closure)
151
else:
152
return types.FunctionType(func.__code__,
153
func.__globals__,
154
func.__name__,
155
func.__defaults__,
156
func.__closure__)
157
158
159
127
def initlogger(debug, level=logging.WARNING):
160
128
"""init logger and add loglevel"""
161
129
162
130
global syslogger
163
131
syslogger = (logging.handlers.SysLogHandler(
164
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
165
address="/dev/log"))
132
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
133
address = "/dev/log"))
166
134
syslogger.setFormatter(logging.Formatter
167
135
('Mandos [%(process)d]: %(levelname)s:'
168
136
' %(message)s'))
169
137
logger.addHandler(syslogger)
170
138
171
139
if debug:
172
140
console = logging.StreamHandler()
173
141
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
185
153
186
154
class PGPEngine(object):
187
155
"""A simple class for OpenPGP symmetric encryption & decryption"""
188
156
189
157
def __init__(self):
190
158
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
191
self.gpg = "gpg"
192
try:
193
output = subprocess.check_output(["gpgconf"])
194
for line in output.splitlines():
195
name, text, path = line.split(b":")
196
if name == "gpg":
197
self.gpg = path
198
break
199
except OSError as e:
200
if e.errno != errno.ENOENT:
201
raise
202
159
self.gnupgargs = ['--batch',
203
'--homedir', self.tempdir,
160
'--home', self.tempdir,
204
161
'--force-mdc',
205
'--quiet']
206
# Only GPG version 1 has the --no-use-agent option.
207
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
208
self.gnupgargs.append("--no-use-agent")
209
162
'--quiet',
163
'--no-use-agent']
164
210
165
def __enter__(self):
211
166
return self
212
167
213
168
def __exit__(self, exc_type, exc_value, traceback):
214
169
self._cleanup()
215
170
return False
216
171
217
172
def __del__(self):
218
173
self._cleanup()
219
174
220
175
def _cleanup(self):
221
176
if self.tempdir is not None:
222
177
# Delete contents of tempdir
223
178
for root, dirs, files in os.walk(self.tempdir,
224
topdown=False):
179
topdown = False):
225
180
for filename in files:
226
181
os.remove(os.path.join(root, filename))
227
182
for dirname in dirs:
229
184
# Remove tempdir
230
185
os.rmdir(self.tempdir)
231
186
self.tempdir = None
232
187
233
188
def password_encode(self, password):
234
189
# Passphrase can not be empty and can not contain newlines or
235
190
# NUL bytes. So we prefix it and hex encode it.
240
195
.replace(b"\n", b"\\n")
241
196
.replace(b"\0", b"\\x00"))
242
197
return encoded
243
198
244
199
def encrypt(self, data, password):
245
200
passphrase = self.password_encode(password)
246
201
with tempfile.NamedTemporaryFile(
247
202
dir=self.tempdir) as passfile:
248
203
passfile.write(passphrase)
249
204
passfile.flush()
250
proc = subprocess.Popen([self.gpg, '--symmetric',
205
proc = subprocess.Popen(['gpg', '--symmetric',
251
206
'--passphrase-file',
252
207
passfile.name]
253
208
+ self.gnupgargs,
254
stdin=subprocess.PIPE,
255
stdout=subprocess.PIPE,
256
stderr=subprocess.PIPE)
257
ciphertext, err = proc.communicate(input=data)
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
258
213
if proc.returncode != 0:
259
214
raise PGPError(err)
260
215
return ciphertext
261
216
262
217
def decrypt(self, data, password):
263
218
passphrase = self.password_encode(password)
264
219
with tempfile.NamedTemporaryFile(
265
dir=self.tempdir) as passfile:
220
dir = self.tempdir) as passfile:
266
221
passfile.write(passphrase)
267
222
passfile.flush()
268
proc = subprocess.Popen([self.gpg, '--decrypt',
223
proc = subprocess.Popen(['gpg', '--decrypt',
269
224
'--passphrase-file',
270
225
passfile.name]
271
226
+ self.gnupgargs,
272
stdin=subprocess.PIPE,
273
stdout=subprocess.PIPE,
274
stderr=subprocess.PIPE)
275
decrypted_plaintext, err = proc.communicate(input=data)
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
276
231
if proc.returncode != 0:
277
232
raise PGPError(err)
278
233
return decrypted_plaintext
279
234
280
235
281
# Pretend that we have an Avahi module
282
class avahi(object):
283
"""This isn't so much a class as it is a module-like namespace."""
284
IF_UNSPEC = -1 # avahi-common/address.h
285
PROTO_UNSPEC = -1 # avahi-common/address.h
286
PROTO_INET = 0 # avahi-common/address.h
287
PROTO_INET6 = 1 # avahi-common/address.h
288
DBUS_NAME = "org.freedesktop.Avahi"
289
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
290
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
291
DBUS_PATH_SERVER = "/"
292
293
@staticmethod
294
def string_array_to_txt_array(t):
295
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
296
for s in t), signature="ay")
297
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
298
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
299
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
300
SERVER_INVALID = 0 # avahi-common/defs.h
301
SERVER_REGISTERING = 1 # avahi-common/defs.h
302
SERVER_RUNNING = 2 # avahi-common/defs.h
303
SERVER_COLLISION = 3 # avahi-common/defs.h
304
SERVER_FAILURE = 4 # avahi-common/defs.h
305
306
307
236
class AvahiError(Exception):
308
237
def __init__(self, value, *args, **kwargs):
309
238
self.value = value
321
250
322
251
class AvahiService(object):
323
252
"""An Avahi (Zeroconf) service.
324
253
325
254
Attributes:
326
255
interface: integer; avahi.IF_UNSPEC or an interface index.
327
256
Used to optionally bind to the specified interface.
339
268
server: D-Bus Server
340
269
bus: dbus.SystemBus()
341
270
"""
342
271
343
272
def __init__(self,
344
interface=avahi.IF_UNSPEC,
345
name=None,
346
servicetype=None,
347
port=None,
348
TXT=None,
349
domain="",
350
host="",
351
max_renames=32768,
352
protocol=avahi.PROTO_UNSPEC,
353
bus=None):
273
interface = avahi.IF_UNSPEC,
274
name = None,
275
servicetype = None,
276
port = None,
277
TXT = None,
278
domain = "",
279
host = "",
280
max_renames = 32768,
281
protocol = avahi.PROTO_UNSPEC,
282
bus = None):
354
283
self.interface = interface
355
284
self.name = name
356
285
self.type = servicetype
365
294
self.server = None
366
295
self.bus = bus
367
296
self.entry_group_state_changed_match = None
368
297
369
298
def rename(self, remove=True):
370
299
"""Derived from the Avahi example code"""
371
300
if self.rename_count >= self.max_renames:
391
320
logger.critical("D-Bus Exception", exc_info=error)
392
321
self.cleanup()
393
322
os._exit(1)
394
323
395
324
def remove(self):
396
325
"""Derived from the Avahi example code"""
397
326
if self.entry_group_state_changed_match is not None:
399
328
self.entry_group_state_changed_match = None
400
329
if self.group is not None:
401
330
self.group.Reset()
402
331
403
332
def add(self):
404
333
"""Derived from the Avahi example code"""
405
334
self.remove()
422
351
dbus.UInt16(self.port),
423
352
avahi.string_array_to_txt_array(self.TXT))
424
353
self.group.Commit()
425
354
426
355
def entry_group_state_changed(self, state, error):
427
356
"""Derived from the Avahi example code"""
428
357
logger.debug("Avahi entry group state change: %i", state)
429
358
430
359
if state == avahi.ENTRY_GROUP_ESTABLISHED:
431
360
logger.debug("Zeroconf service established.")
432
361
elif state == avahi.ENTRY_GROUP_COLLISION:
436
365
logger.critical("Avahi: Error in group state changed %s",
437
366
str(error))
438
367
raise AvahiGroupError("State changed: {!s}".format(error))
439
368
440
369
def cleanup(self):
441
370
"""Derived from the Avahi example code"""
442
371
if self.group is not None:
447
376
pass
448
377
self.group = None
449
378
self.remove()
450
379
451
380
def server_state_changed(self, state, error=None):
452
381
"""Derived from the Avahi example code"""
453
382
logger.debug("Avahi server state change: %i", state)
482
411
logger.debug("Unknown state: %r", state)
483
412
else:
484
413
logger.debug("Unknown state: %r: %r", state, error)
485
414
486
415
def activate(self):
487
416
"""Derived from the Avahi example code"""
488
417
if self.server is None:
499
428
class AvahiServiceToSyslog(AvahiService):
500
429
def rename(self, *args, **kwargs):
501
430
"""Add the new name to the syslog messages"""
502
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
431
ret = AvahiService.rename(self, *args, **kwargs)
503
432
syslogger.setFormatter(logging.Formatter(
504
433
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
505
434
.format(self.name)))
506
435
return ret
507
436
508
509
# Pretend that we have a GnuTLS module
510
class gnutls(object):
511
"""This isn't so much a class as it is a module-like namespace."""
512
513
library = ctypes.util.find_library("gnutls")
514
if library is None:
515
library = ctypes.util.find_library("gnutls-deb0")
516
_library = ctypes.cdll.LoadLibrary(library)
517
del library
518
519
# Unless otherwise indicated, the constants and types below are
520
# all from the gnutls/gnutls.h C header file.
521
522
# Constants
523
E_SUCCESS = 0
524
E_INTERRUPTED = -52
525
E_AGAIN = -28
526
CRT_OPENPGP = 2
527
CRT_RAWPK = 3
528
CLIENT = 2
529
SHUT_RDWR = 0
530
CRD_CERTIFICATE = 1
531
E_NO_CERTIFICATE_FOUND = -49
532
X509_FMT_DER = 0
533
NO_TICKETS = 1<<10
534
ENABLE_RAWPK = 1<<18
535
CTYPE_PEERS = 3
536
KEYID_USE_SHA256 = 1 # gnutls/x509.h
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
539
# Types
540
class session_int(ctypes.Structure):
541
_fields_ = []
542
session_t = ctypes.POINTER(session_int)
543
544
class certificate_credentials_st(ctypes.Structure):
545
_fields_ = []
546
certificate_credentials_t = ctypes.POINTER(
547
certificate_credentials_st)
548
certificate_type_t = ctypes.c_int
549
550
class datum_t(ctypes.Structure):
551
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
('size', ctypes.c_uint)]
553
554
class openpgp_crt_int(ctypes.Structure):
555
_fields_ = []
556
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
560
transport_ptr_t = ctypes.c_void_p
561
close_request_t = ctypes.c_int
562
563
# Exceptions
564
class Error(Exception):
565
def __init__(self, message=None, code=None, args=()):
566
# Default usage is by a message string, but if a return
567
# code is passed, convert it to a string with
568
# gnutls.strerror()
569
self.code = code
570
if message is None and code is not None:
571
message = gnutls.strerror(code)
572
return super(gnutls.Error, self).__init__(
573
message, *args)
574
575
class CertificateSecurityError(Error):
576
pass
577
578
# Classes
579
class Credentials(object):
580
def __init__(self):
581
self._c_object = gnutls.certificate_credentials_t()
582
gnutls.certificate_allocate_credentials(
583
ctypes.byref(self._c_object))
584
self.type = gnutls.CRD_CERTIFICATE
585
586
def __del__(self):
587
gnutls.certificate_free_credentials(self._c_object)
588
589
class ClientSession(object):
590
def __init__(self, socket, credentials=None):
591
self._c_object = gnutls.session_t()
592
gnutls_flags = gnutls.CLIENT
593
if gnutls.check_version(b"3.5.6"):
594
gnutls_flags |= gnutls.NO_TICKETS
595
if gnutls.has_rawpk:
596
gnutls_flags |= gnutls.ENABLE_RAWPK
597
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
598
del gnutls_flags
599
gnutls.set_default_priority(self._c_object)
600
gnutls.transport_set_ptr(self._c_object, socket.fileno())
601
gnutls.handshake_set_private_extensions(self._c_object,
602
True)
603
self.socket = socket
604
if credentials is None:
605
credentials = gnutls.Credentials()
606
gnutls.credentials_set(self._c_object, credentials.type,
607
ctypes.cast(credentials._c_object,
608
ctypes.c_void_p))
609
self.credentials = credentials
610
611
def __del__(self):
612
gnutls.deinit(self._c_object)
613
614
def handshake(self):
615
return gnutls.handshake(self._c_object)
616
617
def send(self, data):
618
data = bytes(data)
619
data_len = len(data)
620
while data_len > 0:
621
data_len -= gnutls.record_send(self._c_object,
622
data[-data_len:],
623
data_len)
624
625
def bye(self):
626
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
627
628
# Error handling functions
629
def _error_code(result):
630
"""A function to raise exceptions on errors, suitable
631
for the 'restype' attribute on ctypes functions"""
632
if result >= 0:
633
return result
634
if result == gnutls.E_NO_CERTIFICATE_FOUND:
635
raise gnutls.CertificateSecurityError(code=result)
636
raise gnutls.Error(code=result)
637
638
def _retry_on_error(result, func, arguments):
639
"""A function to retry on some errors, suitable
640
for the 'errcheck' attribute on ctypes functions"""
641
while result < 0:
642
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
643
return _error_code(result)
644
result = func(*arguments)
645
return result
646
647
# Unless otherwise indicated, the function declarations below are
648
# all from the gnutls/gnutls.h C header file.
649
650
# Functions
651
priority_set_direct = _library.gnutls_priority_set_direct
652
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
653
ctypes.POINTER(ctypes.c_char_p)]
654
priority_set_direct.restype = _error_code
655
656
init = _library.gnutls_init
657
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
658
init.restype = _error_code
659
660
set_default_priority = _library.gnutls_set_default_priority
661
set_default_priority.argtypes = [session_t]
662
set_default_priority.restype = _error_code
663
664
record_send = _library.gnutls_record_send
665
record_send.argtypes = [session_t, ctypes.c_void_p,
666
ctypes.c_size_t]
667
record_send.restype = ctypes.c_ssize_t
668
record_send.errcheck = _retry_on_error
669
670
certificate_allocate_credentials = (
671
_library.gnutls_certificate_allocate_credentials)
672
certificate_allocate_credentials.argtypes = [
673
ctypes.POINTER(certificate_credentials_t)]
674
certificate_allocate_credentials.restype = _error_code
675
676
certificate_free_credentials = (
677
_library.gnutls_certificate_free_credentials)
678
certificate_free_credentials.argtypes = [
679
certificate_credentials_t]
680
certificate_free_credentials.restype = None
681
682
handshake_set_private_extensions = (
683
_library.gnutls_handshake_set_private_extensions)
684
handshake_set_private_extensions.argtypes = [session_t,
685
ctypes.c_int]
686
handshake_set_private_extensions.restype = None
687
688
credentials_set = _library.gnutls_credentials_set
689
credentials_set.argtypes = [session_t, credentials_type_t,
690
ctypes.c_void_p]
691
credentials_set.restype = _error_code
692
693
strerror = _library.gnutls_strerror
694
strerror.argtypes = [ctypes.c_int]
695
strerror.restype = ctypes.c_char_p
696
697
certificate_type_get = _library.gnutls_certificate_type_get
698
certificate_type_get.argtypes = [session_t]
699
certificate_type_get.restype = _error_code
700
701
certificate_get_peers = _library.gnutls_certificate_get_peers
702
certificate_get_peers.argtypes = [session_t,
703
ctypes.POINTER(ctypes.c_uint)]
704
certificate_get_peers.restype = ctypes.POINTER(datum_t)
705
706
global_set_log_level = _library.gnutls_global_set_log_level
707
global_set_log_level.argtypes = [ctypes.c_int]
708
global_set_log_level.restype = None
709
710
global_set_log_function = _library.gnutls_global_set_log_function
711
global_set_log_function.argtypes = [log_func]
712
global_set_log_function.restype = None
713
714
deinit = _library.gnutls_deinit
715
deinit.argtypes = [session_t]
716
deinit.restype = None
717
718
handshake = _library.gnutls_handshake
719
handshake.argtypes = [session_t]
720
handshake.restype = _error_code
721
handshake.errcheck = _retry_on_error
722
723
transport_set_ptr = _library.gnutls_transport_set_ptr
724
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
725
transport_set_ptr.restype = None
726
727
bye = _library.gnutls_bye
728
bye.argtypes = [session_t, close_request_t]
729
bye.restype = _error_code
730
bye.errcheck = _retry_on_error
731
732
check_version = _library.gnutls_check_version
733
check_version.argtypes = [ctypes.c_char_p]
734
check_version.restype = ctypes.c_char_p
735
736
_need_version = b"3.3.0"
737
if check_version(_need_version) is None:
738
raise self.Error("Needs GnuTLS {} or later"
739
.format(_need_version))
740
741
_tls_rawpk_version = b"3.6.6"
742
has_rawpk = bool(check_version(_tls_rawpk_version))
743
744
if has_rawpk:
745
# Types
746
class pubkey_st(ctypes.Structure):
747
_fields = []
748
pubkey_t = ctypes.POINTER(pubkey_st)
749
750
x509_crt_fmt_t = ctypes.c_int
751
752
# All the function declarations below are from gnutls/abstract.h
753
pubkey_init = _library.gnutls_pubkey_init
754
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
755
pubkey_init.restype = _error_code
756
757
pubkey_import = _library.gnutls_pubkey_import
758
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
759
x509_crt_fmt_t]
760
pubkey_import.restype = _error_code
761
762
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
763
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
764
ctypes.POINTER(ctypes.c_ubyte),
765
ctypes.POINTER(ctypes.c_size_t)]
766
pubkey_get_key_id.restype = _error_code
767
768
pubkey_deinit = _library.gnutls_pubkey_deinit
769
pubkey_deinit.argtypes = [pubkey_t]
770
pubkey_deinit.restype = None
771
else:
772
# All the function declarations below are from gnutls/openpgp.h
773
774
openpgp_crt_init = _library.gnutls_openpgp_crt_init
775
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
776
openpgp_crt_init.restype = _error_code
777
778
openpgp_crt_import = _library.gnutls_openpgp_crt_import
779
openpgp_crt_import.argtypes = [openpgp_crt_t,
780
ctypes.POINTER(datum_t),
781
openpgp_crt_fmt_t]
782
openpgp_crt_import.restype = _error_code
783
784
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
785
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
786
ctypes.POINTER(ctypes.c_uint)]
787
openpgp_crt_verify_self.restype = _error_code
788
789
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
790
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
791
openpgp_crt_deinit.restype = None
792
793
openpgp_crt_get_fingerprint = (
794
_library.gnutls_openpgp_crt_get_fingerprint)
795
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
796
ctypes.c_void_p,
797
ctypes.POINTER(
798
ctypes.c_size_t)]
799
openpgp_crt_get_fingerprint.restype = _error_code
800
801
if check_version(b"3.6.4"):
802
certificate_type_get2 = _library.gnutls_certificate_type_get2
803
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
804
certificate_type_get2.restype = _error_code
805
806
# Remove non-public functions
807
del _error_code, _retry_on_error
808
809
810
437
def call_pipe(connection, # : multiprocessing.Connection
811
438
func, *args, **kwargs):
812
439
"""This function is meant to be called by multiprocessing.Process
813
440
814
441
This function runs func(*args, **kwargs), and writes the resulting
815
442
return value on the provided multiprocessing.Connection.
816
443
"""
817
444
connection.send(func(*args, **kwargs))
818
445
connection.close()
819
446
820
821
447
class Client(object):
822
448
"""A representation of a client host served by this server.
823
449
824
450
Attributes:
825
451
approved: bool(); 'None' if not yet approved/disapproved
826
452
approval_delay: datetime.timedelta(); Time to wait for approval
827
453
approval_duration: datetime.timedelta(); Duration of one approval
828
checker: multiprocessing.Process(); a running checker process used
829
to see if the client lives. 'None' if no process is
830
running.
831
checker_callback_tag: a GLib event source tag, or None
454
checker: subprocess.Popen(); a running checker process used
455
to see if the client lives.
456
'None' if no process is running.
457
checker_callback_tag: a gobject event source tag, or None
832
458
checker_command: string; External command which is run to check
833
459
if client lives. %() expansions are done at
834
460
runtime with vars(self) as dict, so that for
835
461
instance %(name)s can be used in the command.
836
checker_initiator_tag: a GLib event source tag, or None
462
checker_initiator_tag: a gobject event source tag, or None
837
463
created: datetime.datetime(); (UTC) object creation
838
464
client_structure: Object describing what attributes a client has
839
465
and is used for storing the client at exit
840
466
current_checker_command: string; current running checker_command
841
disable_initiator_tag: a GLib event source tag, or None
467
disable_initiator_tag: a gobject event source tag, or None
842
468
enabled: bool()
843
469
fingerprint: string (40 or 32 hexadecimal digits); used to
844
uniquely identify an OpenPGP client
845
key_id: string (64 hexadecimal digits); used to uniquely identify
846
a client using raw public keys
470
uniquely identify the client
847
471
host: string; available for use by the checker command
848
472
interval: datetime.timedelta(); How often to start a new checker
849
473
last_approval_request: datetime.datetime(); (UTC) or None
865
489
disabled, or None
866
490
server_settings: The server_settings dict from main()
867
491
"""
868
492
869
493
runtime_expansions = ("approval_delay", "approval_duration",
870
"created", "enabled", "expires", "key_id",
494
"created", "enabled", "expires",
871
495
"fingerprint", "host", "interval",
872
496
"last_approval_request", "last_checked_ok",
873
497
"last_enabled", "name", "timeout")
882
506
"approved_by_default": "True",
883
507
"enabled": "True",
884
508
}
885
509
886
510
@staticmethod
887
511
def config_parser(config):
888
512
"""Construct a new dict of client settings of this form:
895
519
for client_name in config.sections():
896
520
section = dict(config.items(client_name))
897
521
client = settings[client_name] = {}
898
522
899
523
client["host"] = section["host"]
900
524
# Reformat values from string types to Python types
901
525
client["approved_by_default"] = config.getboolean(
902
526
client_name, "approved_by_default")
903
527
client["enabled"] = config.getboolean(client_name,
904
528
"enabled")
905
906
# Uppercase and remove spaces from key_id and fingerprint
907
# for later comparison purposes with return value from the
908
# key_id() and fingerprint() functions
909
client["key_id"] = (section.get("key_id", "").upper()
910
.replace(" ", ""))
529
530
# Uppercase and remove spaces from fingerprint for later
531
# comparison purposes with return value from the
532
# fingerprint() function
911
533
client["fingerprint"] = (section["fingerprint"].upper()
912
534
.replace(" ", ""))
913
535
if "secret" in section:
914
client["secret"] = codecs.decode(section["secret"]
915
.encode("utf-8"),
916
"base64")
536
client["secret"] = section["secret"].decode("base64")
917
537
elif "secfile" in section:
918
538
with open(os.path.expanduser(os.path.expandvars
919
539
(section["secfile"])),
934
554
client["last_approval_request"] = None
935
555
client["last_checked_ok"] = None
936
556
client["last_checker_status"] = -2
937
557
938
558
return settings
939
940
def __init__(self, settings, name=None, server_settings=None):
559
560
def __init__(self, settings, name = None, server_settings=None):
941
561
self.name = name
942
562
if server_settings is None:
943
563
server_settings = {}
945
565
# adding all client settings
946
566
for setting, value in settings.items():
947
567
setattr(self, setting, value)
948
568
949
569
if self.enabled:
950
570
if not hasattr(self, "last_enabled"):
951
571
self.last_enabled = datetime.datetime.utcnow()
955
575
else:
956
576
self.last_enabled = None
957
577
self.expires = None
958
578
959
579
logger.debug("Creating client %r", self.name)
960
logger.debug(" Key ID: %s", self.key_id)
961
580
logger.debug(" Fingerprint: %s", self.fingerprint)
962
581
self.created = settings.get("created",
963
582
datetime.datetime.utcnow())
964
583
965
584
# attributes specific for this server instance
966
585
self.checker = None
967
586
self.checker_initiator_tag = None
973
592
self.changedstate = multiprocessing_manager.Condition(
974
593
multiprocessing_manager.Lock())
975
594
self.client_structure = [attr
976
for attr in self.__dict__.keys()
595
for attr in self.__dict__.iterkeys()
977
596
if not attr.startswith("_")]
978
597
self.client_structure.append("client_structure")
979
598
980
599
for name, t in inspect.getmembers(
981
600
type(self), lambda obj: isinstance(obj, property)):
982
601
if not name.startswith("_"):
983
602
self.client_structure.append(name)
984
603
985
604
# Send notice to process children that client state has changed
986
605
def send_changedstate(self):
987
606
with self.changedstate:
988
607
self.changedstate.notify_all()
989
608
990
609
def enable(self):
991
610
"""Start this client's checker and timeout hooks"""
992
611
if getattr(self, "enabled", False):
997
616
self.last_enabled = datetime.datetime.utcnow()
998
617
self.init_checker()
999
618
self.send_changedstate()
1000
619
1001
620
def disable(self, quiet=True):
1002
621
"""Disable this client."""
1003
622
if not getattr(self, "enabled", False):
1005
624
if not quiet:
1006
625
logger.info("Disabling client %s", self.name)
1007
626
if getattr(self, "disable_initiator_tag", None) is not None:
1008
GLib.source_remove(self.disable_initiator_tag)
627
gobject.source_remove(self.disable_initiator_tag)
1009
628
self.disable_initiator_tag = None
1010
629
self.expires = None
1011
630
if getattr(self, "checker_initiator_tag", None) is not None:
1012
GLib.source_remove(self.checker_initiator_tag)
631
gobject.source_remove(self.checker_initiator_tag)
1013
632
self.checker_initiator_tag = None
1014
633
self.stop_checker()
1015
634
self.enabled = False
1016
635
if not quiet:
1017
636
self.send_changedstate()
1018
# Do not run this again if called by a GLib.timeout_add
637
# Do not run this again if called by a gobject.timeout_add
1019
638
return False
1020
639
1021
640
def __del__(self):
1022
641
self.disable()
1023
642
1024
643
def init_checker(self):
1025
644
# Schedule a new checker to be started an 'interval' from now,
1026
645
# and every interval from then on.
1027
646
if self.checker_initiator_tag is not None:
1028
GLib.source_remove(self.checker_initiator_tag)
1029
self.checker_initiator_tag = GLib.timeout_add(
647
gobject.source_remove(self.checker_initiator_tag)
648
self.checker_initiator_tag = gobject.timeout_add(
1030
649
int(self.interval.total_seconds() * 1000),
1031
650
self.start_checker)
1032
651
# Schedule a disable() when 'timeout' has passed
1033
652
if self.disable_initiator_tag is not None:
1034
GLib.source_remove(self.disable_initiator_tag)
1035
self.disable_initiator_tag = GLib.timeout_add(
653
gobject.source_remove(self.disable_initiator_tag)
654
self.disable_initiator_tag = gobject.timeout_add(
1036
655
int(self.timeout.total_seconds() * 1000), self.disable)
1037
656
# Also start a new checker *right now*.
1038
657
self.start_checker()
1039
658
1040
659
def checker_callback(self, source, condition, connection,
1041
660
command):
1042
661
"""The checker has completed, so take appropriate actions."""
662
self.checker_callback_tag = None
663
self.checker = None
1043
664
# Read return code from connection (see call_pipe)
1044
665
returncode = connection.recv()
1045
666
connection.close()
1046
self.checker.join()
1047
self.checker_callback_tag = None
1048
self.checker = None
1049
667
1050
668
if returncode >= 0:
1051
669
self.last_checker_status = returncode
1052
670
self.last_checker_signal = None
1062
680
logger.warning("Checker for %(name)s crashed?",
1063
681
vars(self))
1064
682
return False
1065
683
1066
684
def checked_ok(self):
1067
685
"""Assert that the client has been seen, alive and well."""
1068
686
self.last_checked_ok = datetime.datetime.utcnow()
1069
687
self.last_checker_status = 0
1070
688
self.last_checker_signal = None
1071
689
self.bump_timeout()
1072
690
1073
691
def bump_timeout(self, timeout=None):
1074
692
"""Bump up the timeout for this client."""
1075
693
if timeout is None:
1076
694
timeout = self.timeout
1077
695
if self.disable_initiator_tag is not None:
1078
GLib.source_remove(self.disable_initiator_tag)
696
gobject.source_remove(self.disable_initiator_tag)
1079
697
self.disable_initiator_tag = None
1080
698
if getattr(self, "enabled", False):
1081
self.disable_initiator_tag = GLib.timeout_add(
699
self.disable_initiator_tag = gobject.timeout_add(
1082
700
int(timeout.total_seconds() * 1000), self.disable)
1083
701
self.expires = datetime.datetime.utcnow() + timeout
1084
702
1085
703
def need_approval(self):
1086
704
self.last_approval_request = datetime.datetime.utcnow()
1087
705
1088
706
def start_checker(self):
1089
707
"""Start a new checker subprocess if one is not running.
1090
708
1091
709
If a checker already exists, leave it running and do
1092
710
nothing."""
1093
711
# The reason for not killing a running checker is that if we
1098
716
# checkers alone, the checker would have to take more time
1099
717
# than 'timeout' for the client to be disabled, which is as it
1100
718
# should be.
1101
719
1102
720
if self.checker is not None and not self.checker.is_alive():
1103
721
logger.warning("Checker was not alive; joining")
1104
722
self.checker.join()
1108
726
# Escape attributes for the shell
1109
727
escaped_attrs = {
1110
728
attr: re.escape(str(getattr(self, attr)))
1111
for attr in self.runtime_expansions}
729
for attr in self.runtime_expansions }
1112
730
try:
1113
731
command = self.checker_command % escaped_attrs
1114
732
except TypeError as error:
1126
744
# The exception is when not debugging but nevertheless
1127
745
# running in the foreground; use the previously
1128
746
# created wnull.
1129
popen_args = {"close_fds": True,
1130
"shell": True,
1131
"cwd": "/"}
747
popen_args = { "close_fds": True,
748
"shell": True,
749
"cwd": "/" }
1132
750
if (not self.server_settings["debug"]
1133
751
and self.server_settings["foreground"]):
1134
752
popen_args.update({"stdout": wnull,
1135
"stderr": wnull})
1136
pipe = multiprocessing.Pipe(duplex=False)
753
"stderr": wnull })
754
pipe = multiprocessing.Pipe(duplex = False)
1137
755
self.checker = multiprocessing.Process(
1138
target=call_pipe,
1139
args=(pipe[1], subprocess.call, command),
1140
kwargs=popen_args)
756
target = call_pipe,
757
args = (pipe[1], subprocess.call, command),
758
kwargs = popen_args)
1141
759
self.checker.start()
1142
self.checker_callback_tag = GLib.io_add_watch(
1143
pipe[0].fileno(), GLib.IO_IN,
760
self.checker_callback_tag = gobject.io_add_watch(
761
pipe[0].fileno(), gobject.IO_IN,
1144
762
self.checker_callback, pipe[0], command)
1145
# Re-run this periodically if run by GLib.timeout_add
763
# Re-run this periodically if run by gobject.timeout_add
1146
764
return True
1147
765
1148
766
def stop_checker(self):
1149
767
"""Force the checker process, if any, to stop."""
1150
768
if self.checker_callback_tag:
1151
GLib.source_remove(self.checker_callback_tag)
769
gobject.source_remove(self.checker_callback_tag)
1152
770
self.checker_callback_tag = None
1153
771
if getattr(self, "checker", None) is None:
1154
772
return
1163
781
byte_arrays=False):
1164
782
"""Decorators for marking methods of a DBusObjectWithProperties to
1165
783
become properties on the D-Bus.
1166
784
1167
785
The decorated method will be called with no arguments by "Get"
1168
786
and with one argument by "Set".
1169
787
1170
788
The parameters, where they are supported, are the same as
1171
789
dbus.service.method, except there is only "signature", since the
1172
790
type from Get() and the type sent to Set() is the same.
1176
794
if byte_arrays and signature != "ay":
1177
795
raise ValueError("Byte arrays not supported for non-'ay'"
1178
796
" signature {!r}".format(signature))
1179
797
1180
798
def decorator(func):
1181
799
func._dbus_is_property = True
1182
800
func._dbus_interface = dbus_interface
1185
803
func._dbus_name = func.__name__
1186
804
if func._dbus_name.endswith("_dbus_property"):
1187
805
func._dbus_name = func._dbus_name[:-14]
1188
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
806
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1189
807
return func
1190
808
1191
809
return decorator
1192
810
1193
811
1194
812
def dbus_interface_annotations(dbus_interface):
1195
813
"""Decorator for marking functions returning interface annotations
1196
814
1197
815
Usage:
1198
816
1199
817
@dbus_interface_annotations("org.example.Interface")
1200
818
def _foo(self): # Function name does not matter
1201
819
return {"org.freedesktop.DBus.Deprecated": "true",
1202
820
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1203
821
"false"}
1204
822
"""
1205
823
1206
824
def decorator(func):
1207
825
func._dbus_is_interface = True
1208
826
func._dbus_interface = dbus_interface
1209
827
func._dbus_name = dbus_interface
1210
828
return func
1211
829
1212
830
return decorator
1213
831
1214
832
1215
833
def dbus_annotations(annotations):
1216
834
"""Decorator to annotate D-Bus methods, signals or properties
1217
835
Usage:
1218
836
1219
837
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1220
838
"org.freedesktop.DBus.Property."
1221
839
"EmitsChangedSignal": "false"})
1223
841
access="r")
1224
842
def Property_dbus_property(self):
1225
843
return dbus.Boolean(False)
1226
844
1227
845
See also the DBusObjectWithAnnotations class.
1228
846
"""
1229
847
1230
848
def decorator(func):
1231
849
func._dbus_annotations = annotations
1232
850
return func
1233
851
1234
852
return decorator
1235
853
1236
854
1254
872
1255
873
class DBusObjectWithAnnotations(dbus.service.Object):
1256
874
"""A D-Bus object with annotations.
1257
875
1258
876
Classes inheriting from this can use the dbus_annotations
1259
877
decorator to add annotations to methods or signals.
1260
878
"""
1261
879
1262
880
@staticmethod
1263
881
def _is_dbus_thing(thing):
1264
882
"""Returns a function testing if an attribute is a D-Bus thing
1265
883
1266
884
If called like _is_dbus_thing("method") it returns a function
1267
885
suitable for use as predicate to inspect.getmembers().
1268
886
"""
1269
887
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1270
888
False)
1271
889
1272
890
def _get_all_dbus_things(self, thing):
1273
891
"""Returns a generator of (name, attribute) pairs
1274
892
"""
1277
895
for cls in self.__class__.__mro__
1278
896
for name, athing in
1279
897
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1280
898
1281
899
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1282
out_signature="s",
1283
path_keyword='object_path',
1284
connection_keyword='connection')
900
out_signature = "s",
901
path_keyword = 'object_path',
902
connection_keyword = 'connection')
1285
903
def Introspect(self, object_path, connection):
1286
904
"""Overloading of standard D-Bus method.
1287
905
1288
906
Inserts annotation tags on methods and signals.
1289
907
"""
1290
908
xmlstring = dbus.service.Object.Introspect(self, object_path,
1291
909
connection)
1292
910
try:
1293
911
document = xml.dom.minidom.parseString(xmlstring)
1294
912
1295
913
for if_tag in document.getElementsByTagName("interface"):
1296
914
# Add annotation tags
1297
915
for typ in ("method", "signal"):
1324
942
if_tag.appendChild(ann_tag)
1325
943
# Fix argument name for the Introspect method itself
1326
944
if (if_tag.getAttribute("name")
1327
== dbus.INTROSPECTABLE_IFACE):
945
== dbus.INTROSPECTABLE_IFACE):
1328
946
for cn in if_tag.getElementsByTagName("method"):
1329
947
if cn.getAttribute("name") == "Introspect":
1330
948
for arg in cn.getElementsByTagName("arg"):
1343
961
1344
962
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1345
963
"""A D-Bus object with properties.
1346
964
1347
965
Classes inheriting from this can use the dbus_service_property
1348
966
decorator to expose methods as D-Bus properties. It exposes the
1349
967
standard Get(), Set(), and GetAll() methods on the D-Bus.
1350
968
"""
1351
969
1352
970
def _get_dbus_property(self, interface_name, property_name):
1353
971
"""Returns a bound method if one exists which is a D-Bus
1354
972
property with the specified name and interface.
1359
977
if (value._dbus_name == property_name
1360
978
and value._dbus_interface == interface_name):
1361
979
return value.__get__(self)
1362
980
1363
981
# No such property
1364
982
raise DBusPropertyNotFound("{}:{}.{}".format(
1365
983
self.dbus_object_path, interface_name, property_name))
1366
984
1367
985
@classmethod
1368
986
def _get_all_interface_names(cls):
1369
987
"""Get a sequence of all interfaces supported by an object"""
1372
990
for x in (inspect.getmro(cls))
1373
991
for attr in dir(x))
1374
992
if name is not None)
1375
993
1376
994
@dbus.service.method(dbus.PROPERTIES_IFACE,
1377
995
in_signature="ss",
1378
996
out_signature="v")
1386
1004
if not hasattr(value, "variant_level"):
1387
1005
return value
1388
1006
return type(value)(value, variant_level=value.variant_level+1)
1389
1007
1390
1008
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1391
1009
def Set(self, interface_name, property_name, value):
1392
1010
"""Standard D-Bus property Set() method, see D-Bus standard.
1404
1022
value = dbus.ByteArray(b''.join(chr(byte)
1405
1023
for byte in value))
1406
1024
prop(value)
1407
1025
1408
1026
@dbus.service.method(dbus.PROPERTIES_IFACE,
1409
1027
in_signature="s",
1410
1028
out_signature="a{sv}")
1411
1029
def GetAll(self, interface_name):
1412
1030
"""Standard D-Bus property GetAll() method, see D-Bus
1413
1031
standard.
1414
1032
1415
1033
Note: Will not include properties with access="write".
1416
1034
"""
1417
1035
properties = {}
1428
1046
properties[name] = value
1429
1047
continue
1430
1048
properties[name] = type(value)(
1431
value, variant_level=value.variant_level + 1)
1049
value, variant_level = value.variant_level + 1)
1432
1050
return dbus.Dictionary(properties, signature="sv")
1433
1051
1434
1052
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1435
1053
def PropertiesChanged(self, interface_name, changed_properties,
1436
1054
invalidated_properties):
1438
1056
standard.
1439
1057
"""
1440
1058
pass
1441
1059
1442
1060
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1443
1061
out_signature="s",
1444
1062
path_keyword='object_path',
1445
1063
connection_keyword='connection')
1446
1064
def Introspect(self, object_path, connection):
1447
1065
"""Overloading of standard D-Bus method.
1448
1066
1449
1067
Inserts property tags and interface annotation tags.
1450
1068
"""
1451
1069
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1453
1071
connection)
1454
1072
try:
1455
1073
document = xml.dom.minidom.parseString(xmlstring)
1456
1074
1457
1075
def make_tag(document, name, prop):
1458
1076
e = document.createElement("property")
1459
1077
e.setAttribute("name", name)
1460
1078
e.setAttribute("type", prop._dbus_signature)
1461
1079
e.setAttribute("access", prop._dbus_access)
1462
1080
return e
1463
1081
1464
1082
for if_tag in document.getElementsByTagName("interface"):
1465
1083
# Add property tags
1466
1084
for tag in (make_tag(document, name, prop)
1508
1126
exc_info=error)
1509
1127
return xmlstring
1510
1128
1511
1512
1129
try:
1513
1130
dbus.OBJECT_MANAGER_IFACE
1514
1131
except AttributeError:
1515
1132
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1516
1133
1517
1518
1134
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1519
1135
"""A D-Bus object with an ObjectManager.
1520
1136
1521
1137
Classes inheriting from this exposes the standard
1522
1138
GetManagedObjects call and the InterfacesAdded and
1523
1139
InterfacesRemoved signals on the standard
1524
1140
"org.freedesktop.DBus.ObjectManager" interface.
1525
1141
1526
1142
Note: No signals are sent automatically; they must be sent
1527
1143
manually.
1528
1144
"""
1529
1145
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1530
out_signature="a{oa{sa{sv}}}")
1146
out_signature = "a{oa{sa{sv}}}")
1531
1147
def GetManagedObjects(self):
1532
1148
"""This function must be overridden"""
1533
1149
raise NotImplementedError()
1534
1150
1535
1151
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1536
signature="oa{sa{sv}}")
1152
signature = "oa{sa{sv}}")
1537
1153
def InterfacesAdded(self, object_path, interfaces_and_properties):
1538
1154
pass
1539
1540
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1155
1156
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1541
1157
def InterfacesRemoved(self, object_path, interfaces):
1542
1158
pass
1543
1159
1544
1160
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1545
out_signature="s",
1546
path_keyword='object_path',
1547
connection_keyword='connection')
1161
out_signature = "s",
1162
path_keyword = 'object_path',
1163
connection_keyword = 'connection')
1548
1164
def Introspect(self, object_path, connection):
1549
1165
"""Overloading of standard D-Bus method.
1550
1166
1551
1167
Override return argument name of GetManagedObjects to be
1552
1168
"objpath_interfaces_and_properties"
1553
1169
"""
1556
1172
connection)
1557
1173
try:
1558
1174
document = xml.dom.minidom.parseString(xmlstring)
1559
1175
1560
1176
for if_tag in document.getElementsByTagName("interface"):
1561
1177
# Fix argument name for the GetManagedObjects method
1562
1178
if (if_tag.getAttribute("name")
1563
== dbus.OBJECT_MANAGER_IFACE):
1179
== dbus.OBJECT_MANAGER_IFACE):
1564
1180
for cn in if_tag.getElementsByTagName("method"):
1565
1181
if (cn.getAttribute("name")
1566
1182
== "GetManagedObjects"):
1576
1192
except (AttributeError, xml.dom.DOMException,
1577
1193
xml.parsers.expat.ExpatError) as error:
1578
1194
logger.error("Failed to override Introspection method",
1579
exc_info=error)
1195
exc_info = error)
1580
1196
return xmlstring
1581
1197
1582
1583
1198
def datetime_to_dbus(dt, variant_level=0):
1584
1199
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1585
1200
if dt is None:
1586
return dbus.String("", variant_level=variant_level)
1201
return dbus.String("", variant_level = variant_level)
1587
1202
return dbus.String(dt.isoformat(), variant_level=variant_level)
1588
1203
1589
1204
1592
1207
dbus.service.Object, it will add alternate D-Bus attributes with
1593
1208
interface names according to the "alt_interface_names" mapping.
1594
1209
Usage:
1595
1210
1596
1211
@alternate_dbus_interfaces({"org.example.Interface":
1597
1212
"net.example.AlternateInterface"})
1598
1213
class SampleDBusObject(dbus.service.Object):
1599
1214
@dbus.service.method("org.example.Interface")
1600
1215
def SampleDBusMethod():
1601
1216
pass
1602
1217
1603
1218
The above "SampleDBusMethod" on "SampleDBusObject" will be
1604
1219
reachable via two interfaces: "org.example.Interface" and
1605
1220
"net.example.AlternateInterface", the latter of which will have
1606
1221
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1607
1222
"true", unless "deprecate" is passed with a False value.
1608
1223
1609
1224
This works for methods and signals, and also for D-Bus properties
1610
1225
(from DBusObjectWithProperties) and interfaces (from the
1611
1226
dbus_interface_annotations decorator).
1612
1227
"""
1613
1228
1614
1229
def wrapper(cls):
1615
1230
for orig_interface_name, alt_interface_name in (
1616
1231
alt_interface_names.items()):
1631
1246
interface_names.add(alt_interface)
1632
1247
# Is this a D-Bus signal?
1633
1248
if getattr(attribute, "_dbus_is_signal", False):
1634
# Extract the original non-method undecorated
1635
# function by black magic
1636
1249
if sys.version_info.major == 2:
1250
# Extract the original non-method undecorated
1251
# function by black magic
1637
1252
nonmethod_func = (dict(
1638
1253
zip(attribute.func_code.co_freevars,
1639
1254
attribute.__closure__))
1640
1255
["func"].cell_contents)
1641
1256
else:
1642
nonmethod_func = (dict(
1643
zip(attribute.__code__.co_freevars,
1644
attribute.__closure__))
1645
["func"].cell_contents)
1257
nonmethod_func = attribute
1646
1258
# Create a new, but exactly alike, function
1647
1259
# object, and decorate it to be a new D-Bus signal
1648
1260
# with the alternate D-Bus interface name
1649
new_function = copy_function(nonmethod_func)
1261
if sys.version_info.major == 2:
1262
new_function = types.FunctionType(
1263
nonmethod_func.func_code,
1264
nonmethod_func.func_globals,
1265
nonmethod_func.func_name,
1266
nonmethod_func.func_defaults,
1267
nonmethod_func.func_closure)
1268
else:
1269
new_function = types.FunctionType(
1270
nonmethod_func.__code__,
1271
nonmethod_func.__globals__,
1272
nonmethod_func.__name__,
1273
nonmethod_func.__defaults__,
1274
nonmethod_func.__closure__)
1650
1275
new_function = (dbus.service.signal(
1651
1276
alt_interface,
1652
1277
attribute._dbus_signature)(new_function))
1656
1281
attribute._dbus_annotations)
1657
1282
except AttributeError:
1658
1283
pass
1659
1660
1284
# Define a creator of a function to call both the
1661
1285
# original and alternate functions, so both the
1662
1286
# original and alternate signals gets sent when
1665
1289
"""This function is a scope container to pass
1666
1290
func1 and func2 to the "call_both" function
1667
1291
outside of its arguments"""
1668
1292
1669
1293
@functools.wraps(func2)
1670
1294
def call_both(*args, **kwargs):
1671
1295
"""This function will emit two D-Bus
1672
1296
signals by calling func1 and func2"""
1673
1297
func1(*args, **kwargs)
1674
1298
func2(*args, **kwargs)
1675
# Make wrapper function look like a D-Bus
1676
# signal
1299
# Make wrapper function look like a D-Bus signal
1677
1300
for name, attr in inspect.getmembers(func2):
1678
1301
if name.startswith("_dbus_"):
1679
1302
setattr(call_both, name, attr)
1680
1303
1681
1304
return call_both
1682
1305
# Create the "call_both" function and add it to
1683
1306
# the class
1693
1316
alt_interface,
1694
1317
attribute._dbus_in_signature,
1695
1318
attribute._dbus_out_signature)
1696
(copy_function(attribute)))
1319
(types.FunctionType(attribute.func_code,
1320
attribute.func_globals,
1321
attribute.func_name,
1322
attribute.func_defaults,
1323
attribute.func_closure)))
1697
1324
# Copy annotations, if any
1698
1325
try:
1699
1326
attr[attrname]._dbus_annotations = dict(
1711
1338
attribute._dbus_access,
1712
1339
attribute._dbus_get_args_options
1713
1340
["byte_arrays"])
1714
(copy_function(attribute)))
1341
(types.FunctionType(
1342
attribute.func_code,
1343
attribute.func_globals,
1344
attribute.func_name,
1345
attribute.func_defaults,
1346
attribute.func_closure)))
1715
1347
# Copy annotations, if any
1716
1348
try:
1717
1349
attr[attrname]._dbus_annotations = dict(
1726
1358
# to the class.
1727
1359
attr[attrname] = (
1728
1360
dbus_interface_annotations(alt_interface)
1729
(copy_function(attribute)))
1361
(types.FunctionType(attribute.func_code,
1362
attribute.func_globals,
1363
attribute.func_name,
1364
attribute.func_defaults,
1365
attribute.func_closure)))
1730
1366
if deprecate:
1731
1367
# Deprecate all alternate interfaces
1732
iname = "_AlternateDBusNames_interface_annotation{}"
1368
iname="_AlternateDBusNames_interface_annotation{}"
1733
1369
for interface_name in interface_names:
1734
1370
1735
1371
@dbus_interface_annotations(interface_name)
1736
1372
def func(self):
1737
return {"org.freedesktop.DBus.Deprecated":
1738
"true"}
1373
return { "org.freedesktop.DBus.Deprecated":
1374
"true" }
1739
1375
# Find an unused name
1740
1376
for aname in (iname.format(i)
1741
1377
for i in itertools.count()):
1745
1381
if interface_names:
1746
1382
# Replace the class with a new subclass of it with
1747
1383
# methods, signals, etc. as created above.
1748
if sys.version_info.major == 2:
1749
cls = type(b"{}Alternate".format(cls.__name__),
1750
(cls, ), attr)
1751
else:
1752
cls = type("{}Alternate".format(cls.__name__),
1753
(cls, ), attr)
1384
cls = type(b"{}Alternate".format(cls.__name__),
1385
(cls, ), attr)
1754
1386
return cls
1755
1387
1756
1388
return wrapper
1757
1389
1758
1390
1760
1392
"se.bsnet.fukt.Mandos"})
1761
1393
class ClientDBus(Client, DBusObjectWithProperties):
1762
1394
"""A Client class using D-Bus
1763
1395
1764
1396
Attributes:
1765
1397
dbus_object_path: dbus.ObjectPath
1766
1398
bus: dbus.SystemBus()
1767
1399
"""
1768
1400
1769
1401
runtime_expansions = (Client.runtime_expansions
1770
1402
+ ("dbus_object_path", ))
1771
1403
1772
1404
_interface = "se.recompile.Mandos.Client"
1773
1405
1774
1406
# dbus.service.Object doesn't use super(), so we can't either.
1775
1776
def __init__(self, bus=None, *args, **kwargs):
1407
1408
def __init__(self, bus = None, *args, **kwargs):
1777
1409
self.bus = bus
1778
1410
Client.__init__(self, *args, **kwargs)
1779
1411
# Only now, when this client is initialized, can it show up on
1785
1417
"/clients/" + client_object_name)
1786
1418
DBusObjectWithProperties.__init__(self, self.bus,
1787
1419
self.dbus_object_path)
1788
1420
1789
1421
def notifychangeproperty(transform_func, dbus_name,
1790
1422
type_func=lambda x: x,
1791
1423
variant_level=1,
1793
1425
_interface=_interface):
1794
1426
""" Modify a variable so that it's a property which announces
1795
1427
its changes to DBus.
1796
1428
1797
1429
transform_fun: Function that takes a value and a variant_level
1798
1430
and transforms it to a D-Bus type.
1799
1431
dbus_name: D-Bus name of the variable
1802
1434
variant_level: D-Bus variant level. Default: 1
1803
1435
"""
1804
1436
attrname = "_{}".format(dbus_name)
1805
1437
1806
1438
def setter(self, value):
1807
1439
if hasattr(self, "dbus_object_path"):
1808
1440
if (not hasattr(self, attrname) or
1815
1447
else:
1816
1448
dbus_value = transform_func(
1817
1449
type_func(value),
1818
variant_level=variant_level)
1450
variant_level = variant_level)
1819
1451
self.PropertyChanged(dbus.String(dbus_name),
1820
1452
dbus_value)
1821
1453
self.PropertiesChanged(
1822
1454
_interface,
1823
dbus.Dictionary({dbus.String(dbus_name):
1824
dbus_value}),
1455
dbus.Dictionary({ dbus.String(dbus_name):
1456
dbus_value }),
1825
1457
dbus.Array())
1826
1458
setattr(self, attrname, value)
1827
1459
1828
1460
return property(lambda self: getattr(self, attrname), setter)
1829
1461
1830
1462
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1831
1463
approvals_pending = notifychangeproperty(dbus.Boolean,
1832
1464
"ApprovalPending",
1833
type_func=bool)
1465
type_func = bool)
1834
1466
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1835
1467
last_enabled = notifychangeproperty(datetime_to_dbus,
1836
1468
"LastEnabled")
1837
1469
checker = notifychangeproperty(
1838
1470
dbus.Boolean, "CheckerRunning",
1839
type_func=lambda checker: checker is not None)
1471
type_func = lambda checker: checker is not None)
1840
1472
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1841
1473
"LastCheckedOK")
1842
1474
last_checker_status = notifychangeproperty(dbus.Int16,
1847
1479
"ApprovedByDefault")
1848
1480
approval_delay = notifychangeproperty(
1849
1481
dbus.UInt64, "ApprovalDelay",
1850
type_func=lambda td: td.total_seconds() * 1000)
1482
type_func = lambda td: td.total_seconds() * 1000)
1851
1483
approval_duration = notifychangeproperty(
1852
1484
dbus.UInt64, "ApprovalDuration",
1853
type_func=lambda td: td.total_seconds() * 1000)
1485
type_func = lambda td: td.total_seconds() * 1000)
1854
1486
host = notifychangeproperty(dbus.String, "Host")
1855
1487
timeout = notifychangeproperty(
1856
1488
dbus.UInt64, "Timeout",
1857
type_func=lambda td: td.total_seconds() * 1000)
1489
type_func = lambda td: td.total_seconds() * 1000)
1858
1490
extended_timeout = notifychangeproperty(
1859
1491
dbus.UInt64, "ExtendedTimeout",
1860
type_func=lambda td: td.total_seconds() * 1000)
1492
type_func = lambda td: td.total_seconds() * 1000)
1861
1493
interval = notifychangeproperty(
1862
1494
dbus.UInt64, "Interval",
1863
type_func=lambda td: td.total_seconds() * 1000)
1495
type_func = lambda td: td.total_seconds() * 1000)
1864
1496
checker_command = notifychangeproperty(dbus.String, "Checker")
1865
1497
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1866
1498
invalidate_only=True)
1867
1499
1868
1500
del notifychangeproperty
1869
1501
1870
1502
def __del__(self, *args, **kwargs):
1871
1503
try:
1872
1504
self.remove_from_connection()
1875
1507
if hasattr(DBusObjectWithProperties, "__del__"):
1876
1508
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1877
1509
Client.__del__(self, *args, **kwargs)
1878
1510
1879
1511
def checker_callback(self, source, condition,
1880
1512
connection, command, *args, **kwargs):
1881
1513
ret = Client.checker_callback(self, source, condition,
1897
1529
| self.last_checker_signal),
1898
1530
dbus.String(command))
1899
1531
return ret
1900
1532
1901
1533
def start_checker(self, *args, **kwargs):
1902
1534
old_checker_pid = getattr(self.checker, "pid", None)
1903
1535
r = Client.start_checker(self, *args, **kwargs)
1907
1539
# Emit D-Bus signal
1908
1540
self.CheckerStarted(self.current_checker_command)
1909
1541
return r
1910
1542
1911
1543
def _reset_approved(self):
1912
1544
self.approved = None
1913
1545
return False
1914
1546
1915
1547
def approve(self, value=True):
1916
1548
self.approved = value
1917
GLib.timeout_add(int(self.approval_duration.total_seconds()
1918
* 1000), self._reset_approved)
1549
gobject.timeout_add(int(self.approval_duration.total_seconds()
1550
* 1000), self._reset_approved)
1919
1551
self.send_changedstate()
1920
1921
# D-Bus methods, signals & properties
1922
1923
# Interfaces
1924
1925
# Signals
1926
1552
1553
## D-Bus methods, signals & properties
1554
1555
## Interfaces
1556
1557
## Signals
1558
1927
1559
# CheckerCompleted - signal
1928
1560
@dbus.service.signal(_interface, signature="nxs")
1929
1561
def CheckerCompleted(self, exitcode, waitstatus, command):
1930
1562
"D-Bus signal"
1931
1563
pass
1932
1564
1933
1565
# CheckerStarted - signal
1934
1566
@dbus.service.signal(_interface, signature="s")
1935
1567
def CheckerStarted(self, command):
1936
1568
"D-Bus signal"
1937
1569
pass
1938
1570
1939
1571
# PropertyChanged - signal
1940
1572
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1941
1573
@dbus.service.signal(_interface, signature="sv")
1942
1574
def PropertyChanged(self, property, value):
1943
1575
"D-Bus signal"
1944
1576
pass
1945
1577
1946
1578
# GotSecret - signal
1947
1579
@dbus.service.signal(_interface)
1948
1580
def GotSecret(self):
1951
1583
server to mandos-client
1952
1584
"""
1953
1585
pass
1954
1586
1955
1587
# Rejected - signal
1956
1588
@dbus.service.signal(_interface, signature="s")
1957
1589
def Rejected(self, reason):
1958
1590
"D-Bus signal"
1959
1591
pass
1960
1592
1961
1593
# NeedApproval - signal
1962
1594
@dbus.service.signal(_interface, signature="tb")
1963
1595
def NeedApproval(self, timeout, default):
1964
1596
"D-Bus signal"
1965
1597
return self.need_approval()
1966
1967
# Methods
1968
1598
1599
## Methods
1600
1969
1601
# Approve - method
1970
1602
@dbus.service.method(_interface, in_signature="b")
1971
1603
def Approve(self, value):
1972
1604
self.approve(value)
1973
1605
1974
1606
# CheckedOK - method
1975
1607
@dbus.service.method(_interface)
1976
1608
def CheckedOK(self):
1977
1609
self.checked_ok()
1978
1610
1979
1611
# Enable - method
1980
1612
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1981
1613
@dbus.service.method(_interface)
1982
1614
def Enable(self):
1983
1615
"D-Bus method"
1984
1616
self.enable()
1985
1617
1986
1618
# StartChecker - method
1987
1619
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1988
1620
@dbus.service.method(_interface)
1989
1621
def StartChecker(self):
1990
1622
"D-Bus method"
1991
1623
self.start_checker()
1992
1624
1993
1625
# Disable - method
1994
1626
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1995
1627
@dbus.service.method(_interface)
1996
1628
def Disable(self):
1997
1629
"D-Bus method"
1998
1630
self.disable()
1999
1631
2000
1632
# StopChecker - method
2001
1633
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2002
1634
@dbus.service.method(_interface)
2003
1635
def StopChecker(self):
2004
1636
self.stop_checker()
2005
2006
# Properties
2007
1637
1638
## Properties
1639
2008
1640
# ApprovalPending - property
2009
1641
@dbus_service_property(_interface, signature="b", access="read")
2010
1642
def ApprovalPending_dbus_property(self):
2011
1643
return dbus.Boolean(bool(self.approvals_pending))
2012
1644
2013
1645
# ApprovedByDefault - property
2014
1646
@dbus_service_property(_interface,
2015
1647
signature="b",
2018
1650
if value is None: # get
2019
1651
return dbus.Boolean(self.approved_by_default)
2020
1652
self.approved_by_default = bool(value)
2021
1653
2022
1654
# ApprovalDelay - property
2023
1655
@dbus_service_property(_interface,
2024
1656
signature="t",
2028
1660
return dbus.UInt64(self.approval_delay.total_seconds()
2029
1661
* 1000)
2030
1662
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2031
1663
2032
1664
# ApprovalDuration - property
2033
1665
@dbus_service_property(_interface,
2034
1666
signature="t",
2038
1670
return dbus.UInt64(self.approval_duration.total_seconds()
2039
1671
* 1000)
2040
1672
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2041
1673
2042
1674
# Name - property
2043
1675
@dbus_annotations(
2044
1676
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2045
1677
@dbus_service_property(_interface, signature="s", access="read")
2046
1678
def Name_dbus_property(self):
2047
1679
return dbus.String(self.name)
2048
2049
# KeyID - property
2050
@dbus_annotations(
2051
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2052
@dbus_service_property(_interface, signature="s", access="read")
2053
def KeyID_dbus_property(self):
2054
return dbus.String(self.key_id)
2055
1680
2056
1681
# Fingerprint - property
2057
1682
@dbus_annotations(
2058
1683
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2059
1684
@dbus_service_property(_interface, signature="s", access="read")
2060
1685
def Fingerprint_dbus_property(self):
2061
1686
return dbus.String(self.fingerprint)
2062
1687
2063
1688
# Host - property
2064
1689
@dbus_service_property(_interface,
2065
1690
signature="s",
2068
1693
if value is None: # get
2069
1694
return dbus.String(self.host)
2070
1695
self.host = str(value)
2071
1696
2072
1697
# Created - property
2073
1698
@dbus_annotations(
2074
1699
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2075
1700
@dbus_service_property(_interface, signature="s", access="read")
2076
1701
def Created_dbus_property(self):
2077
1702
return datetime_to_dbus(self.created)
2078
1703
2079
1704
# LastEnabled - property
2080
1705
@dbus_service_property(_interface, signature="s", access="read")
2081
1706
def LastEnabled_dbus_property(self):
2082
1707
return datetime_to_dbus(self.last_enabled)
2083
1708
2084
1709
# Enabled - property
2085
1710
@dbus_service_property(_interface,
2086
1711
signature="b",
2092
1717
self.enable()
2093
1718
else:
2094
1719
self.disable()
2095
1720
2096
1721
# LastCheckedOK - property
2097
1722
@dbus_service_property(_interface,
2098
1723
signature="s",
2102
1727
self.checked_ok()
2103
1728
return
2104
1729
return datetime_to_dbus(self.last_checked_ok)
2105
1730
2106
1731
# LastCheckerStatus - property
2107
1732
@dbus_service_property(_interface, signature="n", access="read")
2108
1733
def LastCheckerStatus_dbus_property(self):
2109
1734
return dbus.Int16(self.last_checker_status)
2110
1735
2111
1736
# Expires - property
2112
1737
@dbus_service_property(_interface, signature="s", access="read")
2113
1738
def Expires_dbus_property(self):
2114
1739
return datetime_to_dbus(self.expires)
2115
1740
2116
1741
# LastApprovalRequest - property
2117
1742
@dbus_service_property(_interface, signature="s", access="read")
2118
1743
def LastApprovalRequest_dbus_property(self):
2119
1744
return datetime_to_dbus(self.last_approval_request)
2120
1745
2121
1746
# Timeout - property
2122
1747
@dbus_service_property(_interface,
2123
1748
signature="t",
2138
1763
if (getattr(self, "disable_initiator_tag", None)
2139
1764
is None):
2140
1765
return
2141
GLib.source_remove(self.disable_initiator_tag)
2142
self.disable_initiator_tag = GLib.timeout_add(
1766
gobject.source_remove(self.disable_initiator_tag)
1767
self.disable_initiator_tag = gobject.timeout_add(
2143
1768
int((self.expires - now).total_seconds() * 1000),
2144
1769
self.disable)
2145
1770
2146
1771
# ExtendedTimeout - property
2147
1772
@dbus_service_property(_interface,
2148
1773
signature="t",
2152
1777
return dbus.UInt64(self.extended_timeout.total_seconds()
2153
1778
* 1000)
2154
1779
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2155
1780
2156
1781
# Interval - property
2157
1782
@dbus_service_property(_interface,
2158
1783
signature="t",
2165
1790
return
2166
1791
if self.enabled:
2167
1792
# Reschedule checker run
2168
GLib.source_remove(self.checker_initiator_tag)
2169
self.checker_initiator_tag = GLib.timeout_add(
1793
gobject.source_remove(self.checker_initiator_tag)
1794
self.checker_initiator_tag = gobject.timeout_add(
2170
1795
value, self.start_checker)
2171
self.start_checker() # Start one now, too
2172
1796
self.start_checker() # Start one now, too
1797
2173
1798
# Checker - property
2174
1799
@dbus_service_property(_interface,
2175
1800
signature="s",
2178
1803
if value is None: # get
2179
1804
return dbus.String(self.checker_command)
2180
1805
self.checker_command = str(value)
2181
1806
2182
1807
# CheckerRunning - property
2183
1808
@dbus_service_property(_interface,
2184
1809
signature="b",
2190
1815
self.start_checker()
2191
1816
else:
2192
1817
self.stop_checker()
2193
1818
2194
1819
# ObjectPath - property
2195
1820
@dbus_annotations(
2196
1821
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2197
1822
"org.freedesktop.DBus.Deprecated": "true"})
2198
1823
@dbus_service_property(_interface, signature="o", access="read")
2199
1824
def ObjectPath_dbus_property(self):
2200
return self.dbus_object_path # is already a dbus.ObjectPath
2201
1825
return self.dbus_object_path # is already a dbus.ObjectPath
1826
2202
1827
# Secret = property
2203
1828
@dbus_annotations(
2204
1829
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2209
1834
byte_arrays=True)
2210
1835
def Secret_dbus_property(self, value):
2211
1836
self.secret = bytes(value)
2212
1837
2213
1838
del _interface
2214
1839
2215
1840
2216
1841
class ProxyClient(object):
2217
def __init__(self, child_pipe, key_id, fpr, address):
1842
def __init__(self, child_pipe, fpr, address):
2218
1843
self._pipe = child_pipe
2219
self._pipe.send(('init', key_id, fpr, address))
1844
self._pipe.send(('init', fpr, address))
2220
1845
if not self._pipe.recv():
2221
raise KeyError(key_id or fpr)
2222
1846
raise KeyError(fpr)
1847
2223
1848
def __getattribute__(self, name):
2224
1849
if name == '_pipe':
2225
1850
return super(ProxyClient, self).__getattribute__(name)
2228
1853
if data[0] == 'data':
2229
1854
return data[1]
2230
1855
if data[0] == 'function':
2231
1856
2232
1857
def func(*args, **kwargs):
2233
1858
self._pipe.send(('funcall', name, args, kwargs))
2234
1859
return self._pipe.recv()[1]
2235
1860
2236
1861
return func
2237
1862
2238
1863
def __setattr__(self, name, value):
2239
1864
if name == '_pipe':
2240
1865
return super(ProxyClient, self).__setattr__(name, value)
2243
1868
2244
1869
class ClientHandler(socketserver.BaseRequestHandler, object):
2245
1870
"""A class to handle client connections.
2246
1871
2247
1872
Instantiated once for each connection to handle it.
2248
1873
Note: This will run in its own forked process."""
2249
1874
2250
1875
def handle(self):
2251
1876
with contextlib.closing(self.server.child_pipe) as child_pipe:
2252
1877
logger.info("TCP connection from: %s",
2253
1878
str(self.client_address))
2254
1879
logger.debug("Pipe FD: %d",
2255
1880
self.server.child_pipe.fileno())
2256
2257
session = gnutls.ClientSession(self.request)
2258
2259
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2260
# "+AES-256-CBC", "+SHA1",
2261
# "+COMP-NULL", "+CTYPE-OPENPGP",
2262
# "+DHE-DSS"))
1881
1882
session = gnutls.connection.ClientSession(
1883
self.request, gnutls.connection.X509Credentials())
1884
1885
# Note: gnutls.connection.X509Credentials is really a
1886
# generic GnuTLS certificate credentials object so long as
1887
# no X.509 keys are added to it. Therefore, we can use it
1888
# here despite using OpenPGP certificates.
1889
1890
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1891
# "+AES-256-CBC", "+SHA1",
1892
# "+COMP-NULL", "+CTYPE-OPENPGP",
1893
# "+DHE-DSS"))
2263
1894
# Use a fallback default, since this MUST be set.
2264
1895
priority = self.server.gnutls_priority
2265
1896
if priority is None:
2266
1897
priority = "NORMAL"
2267
gnutls.priority_set_direct(session._c_object,
2268
priority.encode("utf-8"),
2269
None)
2270
1898
gnutls.library.functions.gnutls_priority_set_direct(
1899
session._c_object, priority, None)
1900
2271
1901
# Start communication using the Mandos protocol
2272
1902
# Get protocol number
2273
1903
line = self.request.makefile().readline()
2278
1908
except (ValueError, IndexError, RuntimeError) as error:
2279
1909
logger.error("Unknown protocol version: %s", error)
2280
1910
return
2281
1911
2282
1912
# Start GnuTLS connection
2283
1913
try:
2284
1914
session.handshake()
2285
except gnutls.Error as error:
1915
except gnutls.errors.GNUTLSError as error:
2286
1916
logger.warning("Handshake failed: %s", error)
2287
1917
# Do not run session.bye() here: the session is not
2288
1918
# established. Just abandon the request.
2289
1919
return
2290
1920
logger.debug("Handshake succeeded")
2291
1921
2292
1922
approval_required = False
2293
1923
try:
2294
if gnutls.has_rawpk:
2295
fpr = b""
2296
try:
2297
key_id = self.key_id(
2298
self.peer_certificate(session))
2299
except (TypeError, gnutls.Error) as error:
2300
logger.warning("Bad certificate: %s", error)
2301
return
2302
logger.debug("Key ID: %s", key_id)
2303
2304
else:
2305
key_id = b""
2306
try:
2307
fpr = self.fingerprint(
2308
self.peer_certificate(session))
2309
except (TypeError, gnutls.Error) as error:
2310
logger.warning("Bad certificate: %s", error)
2311
return
2312
logger.debug("Fingerprint: %s", fpr)
2313
2314
try:
2315
client = ProxyClient(child_pipe, key_id, fpr,
1924
try:
1925
fpr = self.fingerprint(
1926
self.peer_certificate(session))
1927
except (TypeError,
1928
gnutls.errors.GNUTLSError) as error:
1929
logger.warning("Bad certificate: %s", error)
1930
return
1931
logger.debug("Fingerprint: %s", fpr)
1932
1933
try:
1934
client = ProxyClient(child_pipe, fpr,
2316
1935
self.client_address)
2317
1936
except KeyError:
2318
1937
return
2319
1938
2320
1939
if client.approval_delay:
2321
1940
delay = client.approval_delay
2322
1941
client.approvals_pending += 1
2323
1942
approval_required = True
2324
1943
2325
1944
while True:
2326
1945
if not client.enabled:
2327
1946
logger.info("Client %s is disabled",
2330
1949
# Emit D-Bus signal
2331
1950
client.Rejected("Disabled")
2332
1951
return
2333
1952
2334
1953
if client.approved or not client.approval_delay:
2335
# We are approved or approval is disabled
1954
#We are approved or approval is disabled
2336
1955
break
2337
1956
elif client.approved is None:
2338
1957
logger.info("Client %s needs approval",
2349
1968
# Emit D-Bus signal
2350
1969
client.Rejected("Denied")
2351
1970
return
2352
2353
# wait until timeout or approved
1971
1972
#wait until timeout or approved
2354
1973
time = datetime.datetime.now()
2355
1974
client.changedstate.acquire()
2356
1975
client.changedstate.wait(delay.total_seconds())
2369
1988
break
2370
1989
else:
2371
1990
delay -= time2 - time
2372
2373
try:
2374
session.send(client.secret)
2375
except gnutls.Error as error:
2376
logger.warning("gnutls send failed",
2377
exc_info=error)
2378
return
2379
1991
1992
sent_size = 0
1993
while sent_size < len(client.secret):
1994
try:
1995
sent = session.send(client.secret[sent_size:])
1996
except gnutls.errors.GNUTLSError as error:
1997
logger.warning("gnutls send failed",
1998
exc_info=error)
1999
return
2000
logger.debug("Sent: %d, remaining: %d", sent,
2001
len(client.secret) - (sent_size
2002
+ sent))
2003
sent_size += sent
2004
2380
2005
logger.info("Sending secret to %s", client.name)
2381
2006
# bump the timeout using extended_timeout
2382
2007
client.bump_timeout(client.extended_timeout)
2383
2008
if self.server.use_dbus:
2384
2009
# Emit D-Bus signal
2385
2010
client.GotSecret()
2386
2011
2387
2012
finally:
2388
2013
if approval_required:
2389
2014
client.approvals_pending -= 1
2390
2015
try:
2391
2016
session.bye()
2392
except gnutls.Error as error:
2017
except gnutls.errors.GNUTLSError as error:
2393
2018
logger.warning("GnuTLS bye failed",
2394
2019
exc_info=error)
2395
2020
2396
2021
@staticmethod
2397
2022
def peer_certificate(session):
2398
"Return the peer's certificate as a bytestring"
2399
try:
2400
cert_type = gnutls.certificate_type_get2(session._c_object,
2401
gnutls.CTYPE_PEERS)
2402
except AttributeError:
2403
cert_type = gnutls.certificate_type_get(session._c_object)
2404
if gnutls.has_rawpk:
2405
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2406
else:
2407
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2408
# If not a valid certificate type...
2409
if cert_type not in valid_cert_types:
2410
logger.info("Cert type %r not in %r", cert_type,
2411
valid_cert_types)
2412
# ...return invalid data
2413
return b""
2023
"Return the peer's OpenPGP certificate as a bytestring"
2024
# If not an OpenPGP certificate...
2025
if (gnutls.library.functions.gnutls_certificate_type_get(
2026
session._c_object)
2027
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2028
# ...do the normal thing
2029
return session.peer_certificate
2414
2030
list_size = ctypes.c_uint(1)
2415
cert_list = (gnutls.certificate_get_peers
2031
cert_list = (gnutls.library.functions
2032
.gnutls_certificate_get_peers
2416
2033
(session._c_object, ctypes.byref(list_size)))
2417
2034
if not bool(cert_list) and list_size.value != 0:
2418
raise gnutls.Error("error getting peer certificate")
2035
raise gnutls.errors.GNUTLSError("error getting peer"
2036
" certificate")
2419
2037
if list_size.value == 0:
2420
2038
return None
2421
2039
cert = cert_list[0]
2422
2040
return ctypes.string_at(cert.data, cert.size)
2423
2424
@staticmethod
2425
def key_id(certificate):
2426
"Convert a certificate bytestring to a hexdigit key ID"
2427
# New GnuTLS "datum" with the public key
2428
datum = gnutls.datum_t(
2429
ctypes.cast(ctypes.c_char_p(certificate),
2430
ctypes.POINTER(ctypes.c_ubyte)),
2431
ctypes.c_uint(len(certificate)))
2432
# XXX all these need to be created in the gnutls "module"
2433
# New empty GnuTLS certificate
2434
pubkey = gnutls.pubkey_t()
2435
gnutls.pubkey_init(ctypes.byref(pubkey))
2436
# Import the raw public key into the certificate
2437
gnutls.pubkey_import(pubkey,
2438
ctypes.byref(datum),
2439
gnutls.X509_FMT_DER)
2440
# New buffer for the key ID
2441
buf = ctypes.create_string_buffer(32)
2442
buf_len = ctypes.c_size_t(len(buf))
2443
# Get the key ID from the raw public key into the buffer
2444
gnutls.pubkey_get_key_id(pubkey,
2445
gnutls.KEYID_USE_SHA256,
2446
ctypes.cast(ctypes.byref(buf),
2447
ctypes.POINTER(ctypes.c_ubyte)),
2448
ctypes.byref(buf_len))
2449
# Deinit the certificate
2450
gnutls.pubkey_deinit(pubkey)
2451
2452
# Convert the buffer to a Python bytestring
2453
key_id = ctypes.string_at(buf, buf_len.value)
2454
# Convert the bytestring to hexadecimal notation
2455
hex_key_id = binascii.hexlify(key_id).upper()
2456
return hex_key_id
2457
2041
2458
2042
@staticmethod
2459
2043
def fingerprint(openpgp):
2460
2044
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2461
2045
# New GnuTLS "datum" with the OpenPGP public key
2462
datum = gnutls.datum_t(
2046
datum = gnutls.library.types.gnutls_datum_t(
2463
2047
ctypes.cast(ctypes.c_char_p(openpgp),
2464
2048
ctypes.POINTER(ctypes.c_ubyte)),
2465
2049
ctypes.c_uint(len(openpgp)))
2466
2050
# New empty GnuTLS certificate
2467
crt = gnutls.openpgp_crt_t()
2468
gnutls.openpgp_crt_init(ctypes.byref(crt))
2051
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2052
gnutls.library.functions.gnutls_openpgp_crt_init(
2053
ctypes.byref(crt))
2469
2054
# Import the OpenPGP public key into the certificate
2470
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2471
gnutls.OPENPGP_FMT_RAW)
2055
gnutls.library.functions.gnutls_openpgp_crt_import(
2056
crt, ctypes.byref(datum),
2057
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2472
2058
# Verify the self signature in the key
2473
2059
crtverify = ctypes.c_uint()
2474
gnutls.openpgp_crt_verify_self(crt, 0,
2475
ctypes.byref(crtverify))
2060
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2061
crt, 0, ctypes.byref(crtverify))
2476
2062
if crtverify.value != 0:
2477
gnutls.openpgp_crt_deinit(crt)
2478
raise gnutls.CertificateSecurityError(code
2479
=crtverify.value)
2063
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2064
raise gnutls.errors.CertificateSecurityError(
2065
"Verify failed")
2480
2066
# New buffer for the fingerprint
2481
2067
buf = ctypes.create_string_buffer(20)
2482
2068
buf_len = ctypes.c_size_t()
2483
2069
# Get the fingerprint from the certificate into the buffer
2484
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2485
ctypes.byref(buf_len))
2070
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2071
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2486
2072
# Deinit the certificate
2487
gnutls.openpgp_crt_deinit(crt)
2073
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2488
2074
# Convert the buffer to a Python bytestring
2489
2075
fpr = ctypes.string_at(buf, buf_len.value)
2490
2076
# Convert the bytestring to hexadecimal notation
2494
2080
2495
2081
class MultiprocessingMixIn(object):
2496
2082
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2497
2083
2498
2084
def sub_process_main(self, request, address):
2499
2085
try:
2500
2086
self.finish_request(request, address)
2501
2087
except Exception:
2502
2088
self.handle_error(request, address)
2503
2089
self.close_request(request)
2504
2090
2505
2091
def process_request(self, request, address):
2506
2092
"""Start a new process to process the request."""
2507
proc = multiprocessing.Process(target=self.sub_process_main,
2508
args=(request, address))
2093
proc = multiprocessing.Process(target = self.sub_process_main,
2094
args = (request, address))
2509
2095
proc.start()
2510
2096
return proc
2511
2097
2512
2098
2513
2099
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2514
2100
""" adds a pipe to the MixIn """
2515
2101
2516
2102
def process_request(self, request, client_address):
2517
2103
"""Overrides and wraps the original process_request().
2518
2104
2519
2105
This function creates a new pipe in self.pipe
2520
2106
"""
2521
2107
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2522
2108
2523
2109
proc = MultiprocessingMixIn.process_request(self, request,
2524
2110
client_address)
2525
2111
self.child_pipe.close()
2526
2112
self.add_pipe(parent_pipe, proc)
2527
2113
2528
2114
def add_pipe(self, parent_pipe, proc):
2529
2115
"""Dummy function; override as necessary"""
2530
2116
raise NotImplementedError()
2533
2119
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2534
2120
socketserver.TCPServer, object):
2535
2121
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2536
2122
2537
2123
Attributes:
2538
2124
enabled: Boolean; whether this server is activated yet
2539
2125
interface: None or a network interface name (string)
2540
2126
use_ipv6: Boolean; to use IPv6 or not
2541
2127
"""
2542
2128
2543
2129
def __init__(self, server_address, RequestHandlerClass,
2544
2130
interface=None,
2545
2131
use_ipv6=True,
2555
2141
self.socketfd = socketfd
2556
2142
# Save the original socket.socket() function
2557
2143
self.socket_socket = socket.socket
2558
2559
2144
# To implement --socket, we monkey patch socket.socket.
2560
#
2145
#
2561
2146
# (When socketserver.TCPServer is a new-style class, we
2562
2147
# could make self.socket into a property instead of monkey
2563
2148
# patching socket.socket.)
2564
#
2149
#
2565
2150
# Create a one-time-only replacement for socket.socket()
2566
2151
@functools.wraps(socket.socket)
2567
2152
def socket_wrapper(*args, **kwargs):
2579
2164
# socket_wrapper(), if socketfd was set.
2580
2165
socketserver.TCPServer.__init__(self, server_address,
2581
2166
RequestHandlerClass)
2582
2167
2583
2168
def server_bind(self):
2584
2169
"""This overrides the normal server_bind() function
2585
2170
to bind to an interface if one was specified, and also NOT to
2586
2171
bind to an address or port if they were not specified."""
2587
global SO_BINDTODEVICE
2588
2172
if self.interface is not None:
2589
2173
if SO_BINDTODEVICE is None:
2590
# Fall back to a hard-coded value which seems to be
2591
# common enough.
2592
logger.warning("SO_BINDTODEVICE not found, trying 25")
2593
SO_BINDTODEVICE = 25
2594
try:
2595
self.socket.setsockopt(
2596
socket.SOL_SOCKET, SO_BINDTODEVICE,
2597
(self.interface + "\0").encode("utf-8"))
2598
except socket.error as error:
2599
if error.errno == errno.EPERM:
2600
logger.error("No permission to bind to"
2601
" interface %s", self.interface)
2602
elif error.errno == errno.ENOPROTOOPT:
2603
logger.error("SO_BINDTODEVICE not available;"
2604
" cannot bind to interface %s",
2605
self.interface)
2606
elif error.errno == errno.ENODEV:
2607
logger.error("Interface %s does not exist,"
2608
" cannot bind", self.interface)
2609
else:
2610
raise
2174
logger.error("SO_BINDTODEVICE does not exist;"
2175
" cannot bind to interface %s",
2176
self.interface)
2177
else:
2178
try:
2179
self.socket.setsockopt(
2180
socket.SOL_SOCKET, SO_BINDTODEVICE,
2181
(self.interface + "\0").encode("utf-8"))
2182
except socket.error as error:
2183
if error.errno == errno.EPERM:
2184
logger.error("No permission to bind to"
2185
" interface %s", self.interface)
2186
elif error.errno == errno.ENOPROTOOPT:
2187
logger.error("SO_BINDTODEVICE not available;"
2188
" cannot bind to interface %s",
2189
self.interface)
2190
elif error.errno == errno.ENODEV:
2191
logger.error("Interface %s does not exist,"
2192
" cannot bind", self.interface)
2193
else:
2194
raise
2611
2195
# Only bind(2) the socket if we really need to.
2612
2196
if self.server_address[0] or self.server_address[1]:
2613
if self.server_address[1]:
2614
self.allow_reuse_address = True
2615
2197
if not self.server_address[0]:
2616
2198
if self.address_family == socket.AF_INET6:
2617
any_address = "::" # in6addr_any
2199
any_address = "::" # in6addr_any
2618
2200
else:
2619
any_address = "0.0.0.0" # INADDR_ANY
2201
any_address = "0.0.0.0" # INADDR_ANY
2620
2202
self.server_address = (any_address,
2621
2203
self.server_address[1])
2622
2204
elif not self.server_address[1]:
2632
2214
2633
2215
class MandosServer(IPv6_TCPServer):
2634
2216
"""Mandos server.
2635
2217
2636
2218
Attributes:
2637
2219
clients: set of Client objects
2638
2220
gnutls_priority GnuTLS priority string
2639
2221
use_dbus: Boolean; to emit D-Bus signals or not
2640
2641
Assumes a GLib.MainLoop event loop.
2222
2223
Assumes a gobject.MainLoop event loop.
2642
2224
"""
2643
2225
2644
2226
def __init__(self, server_address, RequestHandlerClass,
2645
2227
interface=None,
2646
2228
use_ipv6=True,
2656
2238
self.gnutls_priority = gnutls_priority
2657
2239
IPv6_TCPServer.__init__(self, server_address,
2658
2240
RequestHandlerClass,
2659
interface=interface,
2660
use_ipv6=use_ipv6,
2661
socketfd=socketfd)
2662
2241
interface = interface,
2242
use_ipv6 = use_ipv6,
2243
socketfd = socketfd)
2244
2663
2245
def server_activate(self):
2664
2246
if self.enabled:
2665
2247
return socketserver.TCPServer.server_activate(self)
2666
2248
2667
2249
def enable(self):
2668
2250
self.enabled = True
2669
2251
2670
2252
def add_pipe(self, parent_pipe, proc):
2671
2253
# Call "handle_ipc" for both data and EOF events
2672
GLib.io_add_watch(
2254
gobject.io_add_watch(
2673
2255
parent_pipe.fileno(),
2674
GLib.IO_IN | GLib.IO_HUP,
2256
gobject.IO_IN | gobject.IO_HUP,
2675
2257
functools.partial(self.handle_ipc,
2676
parent_pipe=parent_pipe,
2677
proc=proc))
2678
2258
parent_pipe = parent_pipe,
2259
proc = proc))
2260
2679
2261
def handle_ipc(self, source, condition,
2680
2262
parent_pipe=None,
2681
proc=None,
2263
proc = None,
2682
2264
client_object=None):
2683
2265
# error, or the other end of multiprocessing.Pipe has closed
2684
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2266
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2685
2267
# Wait for other process to exit
2686
2268
proc.join()
2687
2269
return False
2688
2270
2689
2271
# Read a request from the child
2690
2272
request = parent_pipe.recv()
2691
2273
command = request[0]
2692
2274
2693
2275
if command == 'init':
2694
key_id = request[1].decode("ascii")
2695
fpr = request[2].decode("ascii")
2696
address = request[3]
2697
2698
for c in self.clients.values():
2699
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2700
continue
2701
if key_id and c.key_id == key_id:
2702
client = c
2703
break
2704
if fpr and c.fingerprint == fpr:
2276
fpr = request[1]
2277
address = request[2]
2278
2279
for c in self.clients.itervalues():
2280
if c.fingerprint == fpr:
2705
2281
client = c
2706
2282
break
2707
2283
else:
2708
logger.info("Client not found for key ID: %s, address"
2709
": %s", key_id or fpr, address)
2284
logger.info("Client not found for fingerprint: %s, ad"
2285
"dress: %s", fpr, address)
2710
2286
if self.use_dbus:
2711
2287
# Emit D-Bus signal
2712
mandos_dbus_service.ClientNotFound(key_id or fpr,
2288
mandos_dbus_service.ClientNotFound(fpr,
2713
2289
address[0])
2714
2290
parent_pipe.send(False)
2715
2291
return False
2716
2717
GLib.io_add_watch(
2292
2293
gobject.io_add_watch(
2718
2294
parent_pipe.fileno(),
2719
GLib.IO_IN | GLib.IO_HUP,
2295
gobject.IO_IN | gobject.IO_HUP,
2720
2296
functools.partial(self.handle_ipc,
2721
parent_pipe=parent_pipe,
2722
proc=proc,
2723
client_object=client))
2297
parent_pipe = parent_pipe,
2298
proc = proc,
2299
client_object = client))
2724
2300
parent_pipe.send(True)
2725
2301
# remove the old hook in favor of the new above hook on
2726
2302
# same fileno
2729
2305
funcname = request[1]
2730
2306
args = request[2]
2731
2307
kwargs = request[3]
2732
2308
2733
2309
parent_pipe.send(('data', getattr(client_object,
2734
2310
funcname)(*args,
2735
2311
**kwargs)))
2736
2312
2737
2313
if command == 'getattr':
2738
2314
attrname = request[1]
2739
2315
if isinstance(client_object.__getattribute__(attrname),
2742
2318
else:
2743
2319
parent_pipe.send((
2744
2320
'data', client_object.__getattribute__(attrname)))
2745
2321
2746
2322
if command == 'setattr':
2747
2323
attrname = request[1]
2748
2324
value = request[2]
2749
2325
setattr(client_object, attrname, value)
2750
2326
2751
2327
return True
2752
2328
2753
2329
2754
2330
def rfc3339_duration_to_delta(duration):
2755
2331
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2756
2332
2757
2333
>>> rfc3339_duration_to_delta("P7D")
2758
2334
datetime.timedelta(7)
2759
2335
>>> rfc3339_duration_to_delta("PT60S")
2769
2345
>>> rfc3339_duration_to_delta("P1DT3M20S")
2770
2346
datetime.timedelta(1, 200)
2771
2347
"""
2772
2348
2773
2349
# Parsing an RFC 3339 duration with regular expressions is not
2774
2350
# possible - there would have to be multiple places for the same
2775
2351
# values, like seconds. The current code, while more esoteric, is
2776
2352
# cleaner without depending on a parsing library. If Python had a
2777
2353
# built-in library for parsing we would use it, but we'd like to
2778
2354
# avoid excessive use of external libraries.
2779
2355
2780
2356
# New type for defining tokens, syntax, and semantics all-in-one
2781
2357
Token = collections.namedtuple("Token", (
2782
2358
"regexp", # To match token; if "value" is not None, must have
2815
2391
frozenset((token_year, token_month,
2816
2392
token_day, token_time,
2817
2393
token_week)))
2818
# Define starting values:
2819
# Value so far
2820
value = datetime.timedelta()
2394
# Define starting values
2395
value = datetime.timedelta() # Value so far
2821
2396
found_token = None
2822
# Following valid tokens
2823
followers = frozenset((token_duration, ))
2824
# String left to parse
2825
s = duration
2397
followers = frozenset((token_duration, )) # Following valid tokens
2398
s = duration # String left to parse
2826
2399
# Loop until end token is found
2827
2400
while found_token is not token_end:
2828
2401
# Search for any currently valid tokens
2852
2425
2853
2426
def string_to_delta(interval):
2854
2427
"""Parse a string and return a datetime.timedelta
2855
2428
2856
2429
>>> string_to_delta('7d')
2857
2430
datetime.timedelta(7)
2858
2431
>>> string_to_delta('60s')
2866
2439
>>> string_to_delta('5m 30s')
2867
2440
datetime.timedelta(0, 330)
2868
2441
"""
2869
2442
2870
2443
try:
2871
2444
return rfc3339_duration_to_delta(interval)
2872
2445
except ValueError:
2873
2446
pass
2874
2447
2875
2448
timevalue = datetime.timedelta(0)
2876
2449
for s in interval.split():
2877
2450
try:
2895
2468
return timevalue
2896
2469
2897
2470
2898
def daemon(nochdir=False, noclose=False):
2471
def daemon(nochdir = False, noclose = False):
2899
2472
"""See daemon(3). Standard BSD Unix function.
2900
2473
2901
2474
This should really exist as os.daemon, but it doesn't (yet)."""
2902
2475
if os.fork():
2903
2476
sys.exit()
2921
2494
2922
2495
2923
2496
def main():
2924
2497
2925
2498
##################################################################
2926
2499
# Parsing of options, both command line and config file
2927
2500
2928
2501
parser = argparse.ArgumentParser()
2929
2502
parser.add_argument("-v", "--version", action="version",
2930
version="%(prog)s {}".format(version),
2503
version = "%(prog)s {}".format(version),
2931
2504
help="show version number and exit")
2932
2505
parser.add_argument("-i", "--interface", metavar="IF",
2933
2506
help="Bind to interface IF")
2969
2542
parser.add_argument("--no-zeroconf", action="store_false",
2970
2543
dest="zeroconf", help="Do not use Zeroconf",
2971
2544
default=None)
2972
2545
2973
2546
options = parser.parse_args()
2974
2547
2975
2548
if options.check:
2976
2549
import doctest
2977
2550
fail_count, test_count = doctest.testmod()
2978
2551
sys.exit(os.EX_OK if fail_count == 0 else 1)
2979
2552
2980
2553
# Default values for config file for server-global settings
2981
if gnutls.has_rawpk:
2982
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
2983
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
2984
else:
2985
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2986
":+SIGN-DSA-SHA256")
2987
server_defaults = {"interface": "",
2988
"address": "",
2989
"port": "",
2990
"debug": "False",
2991
"priority": priority,
2992
"servicename": "Mandos",
2993
"use_dbus": "True",
2994
"use_ipv6": "True",
2995
"debuglevel": "",
2996
"restore": "True",
2997
"socket": "",
2998
"statedir": "/var/lib/mandos",
2999
"foreground": "False",
3000
"zeroconf": "True",
3001
}
3002
del priority
3003
2554
server_defaults = { "interface": "",
2555
"address": "",
2556
"port": "",
2557
"debug": "False",
2558
"priority":
2559
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2560
":+SIGN-DSA-SHA256",
2561
"servicename": "Mandos",
2562
"use_dbus": "True",
2563
"use_ipv6": "True",
2564
"debuglevel": "",
2565
"restore": "True",
2566
"socket": "",
2567
"statedir": "/var/lib/mandos",
2568
"foreground": "False",
2569
"zeroconf": "True",
2570
}
2571
3004
2572
# Parse config file for server-global settings
3005
server_config = configparser.ConfigParser(server_defaults)
2573
server_config = configparser.SafeConfigParser(server_defaults)
3006
2574
del server_defaults
3007
2575
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3008
# Convert the ConfigParser object to a dict
2576
# Convert the SafeConfigParser object to a dict
3009
2577
server_settings = server_config.defaults()
3010
2578
# Use the appropriate methods on the non-string config options
3011
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3012
"foreground", "zeroconf"):
2579
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3013
2580
server_settings[option] = server_config.getboolean("DEFAULT",
3014
2581
option)
3015
2582
if server_settings["port"]:
3025
2592
server_settings["socket"] = os.dup(server_settings
3026
2593
["socket"])
3027
2594
del server_config
3028
2595
3029
2596
# Override the settings from the config file with command line
3030
2597
# options, if set.
3031
2598
for option in ("interface", "address", "port", "debug",
3049
2616
if server_settings["debug"]:
3050
2617
server_settings["foreground"] = True
3051
2618
# Now we have our good server settings in "server_settings"
3052
2619
3053
2620
##################################################################
3054
2621
3055
2622
if (not server_settings["zeroconf"]
3056
2623
and not (server_settings["port"]
3057
2624
or server_settings["socket"] != "")):
3058
2625
parser.error("Needs port or socket to work without Zeroconf")
3059
2626
3060
2627
# For convenience
3061
2628
debug = server_settings["debug"]
3062
2629
debuglevel = server_settings["debuglevel"]
3066
2633
stored_state_file)
3067
2634
foreground = server_settings["foreground"]
3068
2635
zeroconf = server_settings["zeroconf"]
3069
2636
3070
2637
if debug:
3071
2638
initlogger(debug, logging.DEBUG)
3072
2639
else:
3075
2642
else:
3076
2643
level = getattr(logging, debuglevel.upper())
3077
2644
initlogger(debug, level)
3078
2645
3079
2646
if server_settings["servicename"] != "Mandos":
3080
2647
syslogger.setFormatter(
3081
2648
logging.Formatter('Mandos ({}) [%(process)d]:'
3082
2649
' %(levelname)s: %(message)s'.format(
3083
2650
server_settings["servicename"])))
3084
2651
3085
2652
# Parse config file with clients
3086
client_config = configparser.ConfigParser(Client.client_defaults)
2653
client_config = configparser.SafeConfigParser(Client
2654
.client_defaults)
3087
2655
client_config.read(os.path.join(server_settings["configdir"],
3088
2656
"clients.conf"))
3089
2657
3090
2658
global mandos_dbus_service
3091
2659
mandos_dbus_service = None
3092
2660
3093
2661
socketfd = None
3094
2662
if server_settings["socket"] != "":
3095
2663
socketfd = server_settings["socket"]
3111
2679
except IOError as e:
3112
2680
logger.error("Could not open file %r", pidfilename,
3113
2681
exc_info=e)
3114
3115
for name, group in (("_mandos", "_mandos"),
3116
("mandos", "mandos"),
3117
("nobody", "nogroup")):
2682
2683
for name in ("_mandos", "mandos", "nobody"):
3118
2684
try:
3119
2685
uid = pwd.getpwnam(name).pw_uid
3120
gid = pwd.getpwnam(group).pw_gid
2686
gid = pwd.getpwnam(name).pw_gid
3121
2687
break
3122
2688
except KeyError:
3123
2689
continue
3127
2693
try:
3128
2694
os.setgid(gid)
3129
2695
os.setuid(uid)
3130
if debug:
3131
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3132
gid))
3133
2696
except OSError as error:
3134
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3135
.format(uid, gid, os.strerror(error.errno)))
3136
2697
if error.errno != errno.EPERM:
3137
2698
raise
3138
2699
3139
2700
if debug:
3140
2701
# Enable all possible GnuTLS debugging
3141
2702
3142
2703
# "Use a log level over 10 to enable all debugging options."
3143
2704
# - GnuTLS manual
3144
gnutls.global_set_log_level(11)
3145
3146
@gnutls.log_func
2705
gnutls.library.functions.gnutls_global_set_log_level(11)
2706
2707
@gnutls.library.types.gnutls_log_func
3147
2708
def debug_gnutls(level, string):
3148
2709
logger.debug("GnuTLS: %s", string[:-1])
3149
3150
gnutls.global_set_log_function(debug_gnutls)
3151
2710
2711
gnutls.library.functions.gnutls_global_set_log_function(
2712
debug_gnutls)
2713
3152
2714
# Redirect stdin so all checkers get /dev/null
3153
2715
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3154
2716
os.dup2(null, sys.stdin.fileno())
3155
2717
if null > 2:
3156
2718
os.close(null)
3157
2719
3158
2720
# Need to fork before connecting to D-Bus
3159
2721
if not foreground:
3160
2722
# Close all input and output, do double fork, etc.
3161
2723
daemon()
3162
3163
if gi.version_info < (3, 10, 2):
3164
# multiprocessing will use threads, so before we use GLib we
3165
# need to inform GLib that threads will be used.
3166
GLib.threads_init()
3167
2724
2725
# multiprocessing will use threads, so before we use gobject we
2726
# need to inform gobject that threads will be used.
2727
gobject.threads_init()
2728
3168
2729
global main_loop
3169
2730
# From the Avahi example code
3170
2731
DBusGMainLoop(set_as_default=True)
3171
main_loop = GLib.MainLoop()
2732
main_loop = gobject.MainLoop()
3172
2733
bus = dbus.SystemBus()
3173
2734
# End of Avahi example code
3174
2735
if use_dbus:
3187
2748
if zeroconf:
3188
2749
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3189
2750
service = AvahiServiceToSyslog(
3190
name=server_settings["servicename"],
3191
servicetype="_mandos._tcp",
3192
protocol=protocol,
3193
bus=bus)
2751
name = server_settings["servicename"],
2752
servicetype = "_mandos._tcp",
2753
protocol = protocol,
2754
bus = bus)
3194
2755
if server_settings["interface"]:
3195
2756
service.interface = if_nametoindex(
3196
2757
server_settings["interface"].encode("utf-8"))
3197
2758
3198
2759
global multiprocessing_manager
3199
2760
multiprocessing_manager = multiprocessing.Manager()
3200
2761
3201
2762
client_class = Client
3202
2763
if use_dbus:
3203
client_class = functools.partial(ClientDBus, bus=bus)
3204
2764
client_class = functools.partial(ClientDBus, bus = bus)
2765
3205
2766
client_settings = Client.config_parser(client_config)
3206
2767
old_client_settings = {}
3207
2768
clients_data = {}
3208
2769
3209
2770
# This is used to redirect stdout and stderr for checker processes
3210
2771
global wnull
3211
wnull = open(os.devnull, "w") # A writable /dev/null
2772
wnull = open(os.devnull, "w") # A writable /dev/null
3212
2773
# Only used if server is running in foreground but not in debug
3213
2774
# mode
3214
2775
if debug or not foreground:
3215
2776
wnull.close()
3216
2777
3217
2778
# Get client data and settings from last running state.
3218
2779
if server_settings["restore"]:
3219
2780
try:
3220
2781
with open(stored_state_path, "rb") as stored_state:
3221
if sys.version_info.major == 2:
3222
clients_data, old_client_settings = pickle.load(
3223
stored_state)
3224
else:
3225
bytes_clients_data, bytes_old_client_settings = (
3226
pickle.load(stored_state, encoding="bytes"))
3227
# Fix bytes to strings
3228
# clients_data
3229
# .keys()
3230
clients_data = {(key.decode("utf-8")
3231
if isinstance(key, bytes)
3232
else key): value
3233
for key, value in
3234
bytes_clients_data.items()}
3235
del bytes_clients_data
3236
for key in clients_data:
3237
value = {(k.decode("utf-8")
3238
if isinstance(k, bytes) else k): v
3239
for k, v in
3240
clients_data[key].items()}
3241
clients_data[key] = value
3242
# .client_structure
3243
value["client_structure"] = [
3244
(s.decode("utf-8")
3245
if isinstance(s, bytes)
3246
else s) for s in
3247
value["client_structure"]]
3248
# .name & .host
3249
for k in ("name", "host"):
3250
if isinstance(value[k], bytes):
3251
value[k] = value[k].decode("utf-8")
3252
if "key_id" not in value:
3253
value["key_id"] = ""
3254
elif "fingerprint" not in value:
3255
value["fingerprint"] = ""
3256
# old_client_settings
3257
# .keys()
3258
old_client_settings = {
3259
(key.decode("utf-8")
3260
if isinstance(key, bytes)
3261
else key): value
3262
for key, value in
3263
bytes_old_client_settings.items()}
3264
del bytes_old_client_settings
3265
# .host
3266
for value in old_client_settings.values():
3267
if isinstance(value["host"], bytes):
3268
value["host"] = (value["host"]
3269
.decode("utf-8"))
2782
clients_data, old_client_settings = pickle.load(
2783
stored_state)
3270
2784
os.remove(stored_state_path)
3271
2785
except IOError as e:
3272
2786
if e.errno == errno.ENOENT:
3280
2794
logger.warning("Could not load persistent state: "
3281
2795
"EOFError:",
3282
2796
exc_info=e)
3283
2797
3284
2798
with PGPEngine() as pgp:
3285
2799
for client_name, client in clients_data.items():
3286
2800
# Skip removed clients
3287
2801
if client_name not in client_settings:
3288
2802
continue
3289
2803
3290
2804
# Decide which value to use after restoring saved state.
3291
2805
# We have three different values: Old config file,
3292
2806
# new config file, and saved state.
3303
2817
client[name] = value
3304
2818
except KeyError:
3305
2819
pass
3306
2820
3307
2821
# Clients who has passed its expire date can still be
3308
2822
# enabled if its last checker was successful. A Client
3309
2823
# whose checker succeeded before we stored its state is
3342
2856
client_name))
3343
2857
client["secret"] = (client_settings[client_name]
3344
2858
["secret"])
3345
2859
3346
2860
# Add/remove clients based on new changes made to config
3347
2861
for client_name in (set(old_client_settings)
3348
2862
- set(client_settings)):
3350
2864
for client_name in (set(client_settings)
3351
2865
- set(old_client_settings)):
3352
2866
clients_data[client_name] = client_settings[client_name]
3353
2867
3354
2868
# Create all client objects
3355
2869
for client_name, client in clients_data.items():
3356
2870
tcp_server.clients[client_name] = client_class(
3357
name=client_name,
3358
settings=client,
3359
server_settings=server_settings)
3360
2871
name = client_name,
2872
settings = client,
2873
server_settings = server_settings)
2874
3361
2875
if not tcp_server.clients:
3362
2876
logger.warning("No clients defined")
3363
2877
3364
2878
if not foreground:
3365
2879
if pidfile is not None:
3366
2880
pid = os.getpid()
3372
2886
pidfilename, pid)
3373
2887
del pidfile
3374
2888
del pidfilename
3375
3376
for termsig in (signal.SIGHUP, signal.SIGTERM):
3377
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3378
lambda: main_loop.quit() and False)
3379
2889
2890
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2891
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2892
3380
2893
if use_dbus:
3381
2894
3382
2895
@alternate_dbus_interfaces(
3383
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2896
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3384
2897
class MandosDBusService(DBusObjectWithObjectManager):
3385
2898
"""A D-Bus proxy object"""
3386
2899
3387
2900
def __init__(self):
3388
2901
dbus.service.Object.__init__(self, bus, "/")
3389
2902
3390
2903
_interface = "se.recompile.Mandos"
3391
2904
3392
2905
@dbus.service.signal(_interface, signature="o")
3393
2906
def ClientAdded(self, objpath):
3394
2907
"D-Bus signal"
3395
2908
pass
3396
2909
3397
2910
@dbus.service.signal(_interface, signature="ss")
3398
def ClientNotFound(self, key_id, address):
2911
def ClientNotFound(self, fingerprint, address):
3399
2912
"D-Bus signal"
3400
2913
pass
3401
2914
3402
2915
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3403
2916
"true"})
3404
2917
@dbus.service.signal(_interface, signature="os")
3405
2918
def ClientRemoved(self, objpath, name):
3406
2919
"D-Bus signal"
3407
2920
pass
3408
2921
3409
2922
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3410
2923
"true"})
3411
2924
@dbus.service.method(_interface, out_signature="ao")
3412
2925
def GetAllClients(self):
3413
2926
"D-Bus method"
3414
2927
return dbus.Array(c.dbus_object_path for c in
3415
tcp_server.clients.values())
3416
2928
tcp_server.clients.itervalues())
2929
3417
2930
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3418
2931
"true"})
3419
2932
@dbus.service.method(_interface,
3421
2934
def GetAllClientsWithProperties(self):
3422
2935
"D-Bus method"
3423
2936
return dbus.Dictionary(
3424
{c.dbus_object_path: c.GetAll(
2937
{ c.dbus_object_path: c.GetAll(
3425
2938
"se.recompile.Mandos.Client")
3426
for c in tcp_server.clients.values()},
2939
for c in tcp_server.clients.itervalues() },
3427
2940
signature="oa{sv}")
3428
2941
3429
2942
@dbus.service.method(_interface, in_signature="o")
3430
2943
def RemoveClient(self, object_path):
3431
2944
"D-Bus method"
3432
for c in tcp_server.clients.values():
2945
for c in tcp_server.clients.itervalues():
3433
2946
if c.dbus_object_path == object_path:
3434
2947
del tcp_server.clients[c.name]
3435
2948
c.remove_from_connection()
3439
2952
self.client_removed_signal(c)
3440
2953
return
3441
2954
raise KeyError(object_path)
3442
2955
3443
2956
del _interface
3444
2957
3445
2958
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3446
out_signature="a{oa{sa{sv}}}")
2959
out_signature = "a{oa{sa{sv}}}")
3447
2960
def GetManagedObjects(self):
3448
2961
"""D-Bus method"""
3449
2962
return dbus.Dictionary(
3450
{client.dbus_object_path:
3451
dbus.Dictionary(
3452
{interface: client.GetAll(interface)
3453
for interface in
3454
client._get_all_interface_names()})
3455
for client in tcp_server.clients.values()})
3456
2963
{ client.dbus_object_path:
2964
dbus.Dictionary(
2965
{ interface: client.GetAll(interface)
2966
for interface in
2967
client._get_all_interface_names()})
2968
for client in tcp_server.clients.values()})
2969
3457
2970
def client_added_signal(self, client):
3458
2971
"""Send the new standard signal and the old signal"""
3459
2972
if use_dbus:
3461
2974
self.InterfacesAdded(
3462
2975
client.dbus_object_path,
3463
2976
dbus.Dictionary(
3464
{interface: client.GetAll(interface)
3465
for interface in
3466
client._get_all_interface_names()}))
2977
{ interface: client.GetAll(interface)
2978
for interface in
2979
client._get_all_interface_names()}))
3467
2980
# Old signal
3468
2981
self.ClientAdded(client.dbus_object_path)
3469
2982
3470
2983
def client_removed_signal(self, client):
3471
2984
"""Send the new standard signal and the old signal"""
3472
2985
if use_dbus:
3477
2990
# Old signal
3478
2991
self.ClientRemoved(client.dbus_object_path,
3479
2992
client.name)
3480
2993
3481
2994
mandos_dbus_service = MandosDBusService()
3482
3483
# Save modules to variables to exempt the modules from being
3484
# unloaded before the function registered with atexit() is run.
3485
mp = multiprocessing
3486
wn = wnull
3487
2995
3488
2996
def cleanup():
3489
2997
"Cleanup function; run on exit"
3490
2998
if zeroconf:
3491
2999
service.cleanup()
3492
3493
mp.active_children()
3494
wn.close()
3000
3001
multiprocessing.active_children()
3002
wnull.close()
3495
3003
if not (tcp_server.clients or client_settings):
3496
3004
return
3497
3005
3498
3006
# Store client before exiting. Secrets are encrypted with key
3499
3007
# based on what config file has. If config file is
3500
3008
# removed/edited, old secret will thus be unrecovable.
3501
3009
clients = {}
3502
3010
with PGPEngine() as pgp:
3503
for client in tcp_server.clients.values():
3011
for client in tcp_server.clients.itervalues():
3504
3012
key = client_settings[client.name]["secret"]
3505
3013
client.encrypted_secret = pgp.encrypt(client.secret,
3506
3014
key)
3507
3015
client_dict = {}
3508
3016
3509
3017
# A list of attributes that can not be pickled
3510
3018
# + secret.
3511
exclude = {"bus", "changedstate", "secret",
3512
"checker", "server_settings"}
3019
exclude = { "bus", "changedstate", "secret",
3020
"checker", "server_settings" }
3513
3021
for name, typ in inspect.getmembers(dbus.service
3514
3022
.Object):
3515
3023
exclude.add(name)
3516
3024
3517
3025
client_dict["encrypted_secret"] = (client
3518
3026
.encrypted_secret)
3519
3027
for attr in client.client_structure:
3520
3028
if attr not in exclude:
3521
3029
client_dict[attr] = getattr(client, attr)
3522
3030
3523
3031
clients[client.name] = client_dict
3524
3032
del client_settings[client.name]["secret"]
3525
3033
3526
3034
try:
3527
3035
with tempfile.NamedTemporaryFile(
3528
3036
mode='wb',
3530
3038
prefix='clients-',
3531
3039
dir=os.path.dirname(stored_state_path),
3532
3040
delete=False) as stored_state:
3533
pickle.dump((clients, client_settings), stored_state,
3534
protocol=2)
3041
pickle.dump((clients, client_settings), stored_state)
3535
3042
tempname = stored_state.name
3536
3043
os.rename(tempname, stored_state_path)
3537
3044
except (IOError, OSError) as e:
3547
3054
logger.warning("Could not save persistent state:",
3548
3055
exc_info=e)
3549
3056
raise
3550
3057
3551
3058
# Delete all clients, and settings from config
3552
3059
while tcp_server.clients:
3553
3060
name, client = tcp_server.clients.popitem()
3559
3066
if use_dbus:
3560
3067
mandos_dbus_service.client_removed_signal(client)
3561
3068
client_settings.clear()
3562
3069
3563
3070
atexit.register(cleanup)
3564
3565
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3566
3073
if use_dbus:
3567
3074
# Emit D-Bus signal for adding
3568
3075
mandos_dbus_service.client_added_signal(client)
3569
3076
# Need to initiate checking of clients
3570
3077
if client.enabled:
3571
3078
client.init_checker()
3572
3079
3573
3080
tcp_server.enable()
3574
3081
tcp_server.server_activate()
3575
3082
3576
3083
# Find out what port we got
3577
3084
if zeroconf:
3578
3085
service.port = tcp_server.socket.getsockname()[1]
3583
3090
else: # IPv4
3584
3091
logger.info("Now listening on address %r, port %d",
3585
3092
*tcp_server.socket.getsockname())
3586
3587
# service.interface = tcp_server.socket.getsockname()[3]
3588
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3589
3096
try:
3590
3097
if zeroconf:
3591
3098
# From the Avahi example code
3596
3103
cleanup()
3597
3104
sys.exit(1)
3598
3105
# End of Avahi example code
3599
3600
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3601
lambda *args, **kwargs:
3602
(tcp_server.handle_request
3603
(*args[2:], **kwargs) or True))
3604
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3605
3112
logger.debug("Starting main loop")
3606
3113
main_loop.run()
3607
3114
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0