To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 800
- compare with another revision
- download diff
- download tarball
- view history from revision 800
- Committer: Teddy Hogeborn
- Date: 2016-02-21 14:24:01 UTC
- Revision ID: teddy@recompile.se-20160221142401-j7glu6a2hg604d1e
Use AddressSanitizer and UndefinedBehaviorSanitizer.
* Makefile (SANITIZE): New; set to all sanitizing options depending on
GCC version.
(CFLAGS): Added "$(SANITIZE)".
* Makefile (SANITIZE): New; set to all sanitizing options depending on
GCC version.
(CFLAGS): Added "$(SANITIZE)".
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
1
#!/usr/bin/python2.7
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
48
44
import argparse
49
45
import datetime
50
46
import errno
47
import gnutls.connection
48
import gnutls.errors
49
import gnutls.library.functions
50
import gnutls.library.constants
51
import gnutls.library.types
51
52
try:
52
53
import ConfigParser as configparser
53
54
except ImportError:
77
78
import itertools
78
79
import collections
79
80
import codecs
80
import unittest
81
import random
82
import shlex
83
81
84
82
import dbus
85
83
import dbus.service
86
import gi
87
from gi.repository import GLib
84
try:
85
import gobject
86
except ImportError:
87
from gi.repository import GObject as gobject
88
import avahi
88
89
from dbus.mainloop.glib import DBusGMainLoop
89
90
import ctypes
90
91
import ctypes.util
91
92
import xml.dom.minidom
92
93
import inspect
93
94
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
95
try:
122
96
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
123
97
except AttributeError:
124
98
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
127
99
from IN import SO_BINDTODEVICE
128
100
except ImportError:
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.9"
101
SO_BINDTODEVICE = None
102
103
if sys.version_info.major == 2:
104
str = unicode
105
106
version = "1.7.1"
147
107
stored_state_file = "clients.pickle"
148
108
149
109
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
151
110
syslogger = None
152
111
153
112
try:
154
113
if_nametoindex = ctypes.cdll.LoadLibrary(
155
114
ctypes.util.find_library("c")).if_nametoindex
156
115
except (OSError, AttributeError):
157
116
158
117
def if_nametoindex(interface):
159
118
"Get an interface index the hard way, i.e. using fcntl()"
160
119
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
165
124
return interface_index
166
125
167
126
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
184
127
def initlogger(debug, level=logging.WARNING):
185
128
"""init logger and add loglevel"""
186
129
187
130
global syslogger
188
131
syslogger = (logging.handlers.SysLogHandler(
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
132
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
133
address = "/dev/log"))
191
134
syslogger.setFormatter(logging.Formatter
192
135
('Mandos [%(process)d]: %(levelname)s:'
193
136
' %(message)s'))
194
137
logger.addHandler(syslogger)
195
138
196
139
if debug:
197
140
console = logging.StreamHandler()
198
141
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
208
151
pass
209
152
210
153
211
class PGPEngine:
154
class PGPEngine(object):
212
155
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
156
214
157
def __init__(self):
215
158
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
self.gpg = "gpg"
217
try:
218
output = subprocess.check_output(["gpgconf"])
219
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
222
self.gpg = path
223
break
224
except OSError as e:
225
if e.errno != errno.ENOENT:
226
raise
227
159
self.gnupgargs = ['--batch',
228
'--homedir', self.tempdir,
160
'--home', self.tempdir,
229
161
'--force-mdc',
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
162
'--quiet',
163
'--no-use-agent']
164
235
165
def __enter__(self):
236
166
return self
237
167
238
168
def __exit__(self, exc_type, exc_value, traceback):
239
169
self._cleanup()
240
170
return False
241
171
242
172
def __del__(self):
243
173
self._cleanup()
244
174
245
175
def _cleanup(self):
246
176
if self.tempdir is not None:
247
177
# Delete contents of tempdir
248
178
for root, dirs, files in os.walk(self.tempdir,
249
topdown=False):
179
topdown = False):
250
180
for filename in files:
251
181
os.remove(os.path.join(root, filename))
252
182
for dirname in dirs:
254
184
# Remove tempdir
255
185
os.rmdir(self.tempdir)
256
186
self.tempdir = None
257
187
258
188
def password_encode(self, password):
259
189
# Passphrase can not be empty and can not contain newlines or
260
190
# NUL bytes. So we prefix it and hex encode it.
265
195
.replace(b"\n", b"\\n")
266
196
.replace(b"\0", b"\\x00"))
267
197
return encoded
268
198
269
199
def encrypt(self, data, password):
270
200
passphrase = self.password_encode(password)
271
201
with tempfile.NamedTemporaryFile(
272
202
dir=self.tempdir) as passfile:
273
203
passfile.write(passphrase)
274
204
passfile.flush()
275
proc = subprocess.Popen([self.gpg, '--symmetric',
205
proc = subprocess.Popen(['gpg', '--symmetric',
276
206
'--passphrase-file',
277
207
passfile.name]
278
208
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
283
213
if proc.returncode != 0:
284
214
raise PGPError(err)
285
215
return ciphertext
286
216
287
217
def decrypt(self, data, password):
288
218
passphrase = self.password_encode(password)
289
219
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
220
dir = self.tempdir) as passfile:
291
221
passfile.write(passphrase)
292
222
passfile.flush()
293
proc = subprocess.Popen([self.gpg, '--decrypt',
223
proc = subprocess.Popen(['gpg', '--decrypt',
294
224
'--passphrase-file',
295
225
passfile.name]
296
226
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
301
231
if proc.returncode != 0:
302
232
raise PGPError(err)
303
233
return decrypted_plaintext
304
234
305
235
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
332
236
class AvahiError(Exception):
333
237
def __init__(self, value, *args, **kwargs):
334
238
self.value = value
344
248
pass
345
249
346
250
347
class AvahiService:
251
class AvahiService(object):
348
252
"""An Avahi (Zeroconf) service.
349
253
350
254
Attributes:
351
255
interface: integer; avahi.IF_UNSPEC or an interface index.
352
256
Used to optionally bind to the specified interface.
364
268
server: D-Bus Server
365
269
bus: dbus.SystemBus()
366
270
"""
367
271
368
272
def __init__(self,
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
273
interface = avahi.IF_UNSPEC,
274
name = None,
275
servicetype = None,
276
port = None,
277
TXT = None,
278
domain = "",
279
host = "",
280
max_renames = 32768,
281
protocol = avahi.PROTO_UNSPEC,
282
bus = None):
379
283
self.interface = interface
380
284
self.name = name
381
285
self.type = servicetype
390
294
self.server = None
391
295
self.bus = bus
392
296
self.entry_group_state_changed_match = None
393
297
394
298
def rename(self, remove=True):
395
299
"""Derived from the Avahi example code"""
396
300
if self.rename_count >= self.max_renames:
416
320
logger.critical("D-Bus Exception", exc_info=error)
417
321
self.cleanup()
418
322
os._exit(1)
419
323
420
324
def remove(self):
421
325
"""Derived from the Avahi example code"""
422
326
if self.entry_group_state_changed_match is not None:
424
328
self.entry_group_state_changed_match = None
425
329
if self.group is not None:
426
330
self.group.Reset()
427
331
428
332
def add(self):
429
333
"""Derived from the Avahi example code"""
430
334
self.remove()
447
351
dbus.UInt16(self.port),
448
352
avahi.string_array_to_txt_array(self.TXT))
449
353
self.group.Commit()
450
354
451
355
def entry_group_state_changed(self, state, error):
452
356
"""Derived from the Avahi example code"""
453
357
logger.debug("Avahi entry group state change: %i", state)
454
358
455
359
if state == avahi.ENTRY_GROUP_ESTABLISHED:
456
360
logger.debug("Zeroconf service established.")
457
361
elif state == avahi.ENTRY_GROUP_COLLISION:
461
365
logger.critical("Avahi: Error in group state changed %s",
462
366
str(error))
463
367
raise AvahiGroupError("State changed: {!s}".format(error))
464
368
465
369
def cleanup(self):
466
370
"""Derived from the Avahi example code"""
467
371
if self.group is not None:
472
376
pass
473
377
self.group = None
474
378
self.remove()
475
379
476
380
def server_state_changed(self, state, error=None):
477
381
"""Derived from the Avahi example code"""
478
382
logger.debug("Avahi server state change: %i", state)
507
411
logger.debug("Unknown state: %r", state)
508
412
else:
509
413
logger.debug("Unknown state: %r: %r", state, error)
510
414
511
415
def activate(self):
512
416
"""Derived from the Avahi example code"""
513
417
if self.server is None:
524
428
class AvahiServiceToSyslog(AvahiService):
525
429
def rename(self, *args, **kwargs):
526
430
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
431
ret = AvahiService.rename(self, *args, **kwargs)
528
432
syslogger.setFormatter(logging.Formatter(
529
433
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
434
.format(self.name)))
531
435
return ret
532
436
533
534
# Pretend that we have a GnuTLS module
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
537
538
library = ctypes.util.find_library("gnutls")
539
if library is None:
540
library = ctypes.util.find_library("gnutls-deb0")
541
_library = ctypes.cdll.LoadLibrary(library)
542
del library
543
544
# Unless otherwise indicated, the constants and types below are
545
# all from the gnutls/gnutls.h C header file.
546
547
# Constants
548
E_SUCCESS = 0
549
E_INTERRUPTED = -52
550
E_AGAIN = -28
551
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
553
CLIENT = 2
554
SHUT_RDWR = 0
555
CRD_CERTIFICATE = 1
556
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
562
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
563
564
# Types
565
class session_int(ctypes.Structure):
566
_fields_ = []
567
session_t = ctypes.POINTER(session_int)
568
569
class certificate_credentials_st(ctypes.Structure):
570
_fields_ = []
571
certificate_credentials_t = ctypes.POINTER(
572
certificate_credentials_st)
573
certificate_type_t = ctypes.c_int
574
575
class datum_t(ctypes.Structure):
576
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
577
('size', ctypes.c_uint)]
578
579
class openpgp_crt_int(ctypes.Structure):
580
_fields_ = []
581
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
583
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
584
credentials_type_t = ctypes.c_int
585
transport_ptr_t = ctypes.c_void_p
586
close_request_t = ctypes.c_int
587
588
# Exceptions
589
class Error(Exception):
590
def __init__(self, message=None, code=None, args=()):
591
# Default usage is by a message string, but if a return
592
# code is passed, convert it to a string with
593
# gnutls.strerror()
594
self.code = code
595
if message is None and code is not None:
596
message = gnutls.strerror(code)
597
return super(gnutls.Error, self).__init__(
598
message, *args)
599
600
class CertificateSecurityError(Error):
601
pass
602
603
# Classes
604
class Credentials:
605
def __init__(self):
606
self._c_object = gnutls.certificate_credentials_t()
607
gnutls.certificate_allocate_credentials(
608
ctypes.byref(self._c_object))
609
self.type = gnutls.CRD_CERTIFICATE
610
611
def __del__(self):
612
gnutls.certificate_free_credentials(self._c_object)
613
614
class ClientSession:
615
def __init__(self, socket, credentials=None):
616
self._c_object = gnutls.session_t()
617
gnutls_flags = gnutls.CLIENT
618
if gnutls.check_version(b"3.5.6"):
619
gnutls_flags |= gnutls.NO_TICKETS
620
if gnutls.has_rawpk:
621
gnutls_flags |= gnutls.ENABLE_RAWPK
622
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
623
del gnutls_flags
624
gnutls.set_default_priority(self._c_object)
625
gnutls.transport_set_ptr(self._c_object, socket.fileno())
626
gnutls.handshake_set_private_extensions(self._c_object,
627
True)
628
self.socket = socket
629
if credentials is None:
630
credentials = gnutls.Credentials()
631
gnutls.credentials_set(self._c_object, credentials.type,
632
ctypes.cast(credentials._c_object,
633
ctypes.c_void_p))
634
self.credentials = credentials
635
636
def __del__(self):
637
gnutls.deinit(self._c_object)
638
639
def handshake(self):
640
return gnutls.handshake(self._c_object)
641
642
def send(self, data):
643
data = bytes(data)
644
data_len = len(data)
645
while data_len > 0:
646
data_len -= gnutls.record_send(self._c_object,
647
data[-data_len:],
648
data_len)
649
650
def bye(self):
651
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
652
653
# Error handling functions
654
def _error_code(result):
655
"""A function to raise exceptions on errors, suitable
656
for the 'restype' attribute on ctypes functions"""
657
if result >= 0:
658
return result
659
if result == gnutls.E_NO_CERTIFICATE_FOUND:
660
raise gnutls.CertificateSecurityError(code=result)
661
raise gnutls.Error(code=result)
662
663
def _retry_on_error(result, func, arguments):
664
"""A function to retry on some errors, suitable
665
for the 'errcheck' attribute on ctypes functions"""
666
while result < 0:
667
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
668
return _error_code(result)
669
result = func(*arguments)
670
return result
671
672
# Unless otherwise indicated, the function declarations below are
673
# all from the gnutls/gnutls.h C header file.
674
675
# Functions
676
priority_set_direct = _library.gnutls_priority_set_direct
677
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
678
ctypes.POINTER(ctypes.c_char_p)]
679
priority_set_direct.restype = _error_code
680
681
init = _library.gnutls_init
682
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
683
init.restype = _error_code
684
685
set_default_priority = _library.gnutls_set_default_priority
686
set_default_priority.argtypes = [session_t]
687
set_default_priority.restype = _error_code
688
689
record_send = _library.gnutls_record_send
690
record_send.argtypes = [session_t, ctypes.c_void_p,
691
ctypes.c_size_t]
692
record_send.restype = ctypes.c_ssize_t
693
record_send.errcheck = _retry_on_error
694
695
certificate_allocate_credentials = (
696
_library.gnutls_certificate_allocate_credentials)
697
certificate_allocate_credentials.argtypes = [
698
ctypes.POINTER(certificate_credentials_t)]
699
certificate_allocate_credentials.restype = _error_code
700
701
certificate_free_credentials = (
702
_library.gnutls_certificate_free_credentials)
703
certificate_free_credentials.argtypes = [
704
certificate_credentials_t]
705
certificate_free_credentials.restype = None
706
707
handshake_set_private_extensions = (
708
_library.gnutls_handshake_set_private_extensions)
709
handshake_set_private_extensions.argtypes = [session_t,
710
ctypes.c_int]
711
handshake_set_private_extensions.restype = None
712
713
credentials_set = _library.gnutls_credentials_set
714
credentials_set.argtypes = [session_t, credentials_type_t,
715
ctypes.c_void_p]
716
credentials_set.restype = _error_code
717
718
strerror = _library.gnutls_strerror
719
strerror.argtypes = [ctypes.c_int]
720
strerror.restype = ctypes.c_char_p
721
722
certificate_type_get = _library.gnutls_certificate_type_get
723
certificate_type_get.argtypes = [session_t]
724
certificate_type_get.restype = _error_code
725
726
certificate_get_peers = _library.gnutls_certificate_get_peers
727
certificate_get_peers.argtypes = [session_t,
728
ctypes.POINTER(ctypes.c_uint)]
729
certificate_get_peers.restype = ctypes.POINTER(datum_t)
730
731
global_set_log_level = _library.gnutls_global_set_log_level
732
global_set_log_level.argtypes = [ctypes.c_int]
733
global_set_log_level.restype = None
734
735
global_set_log_function = _library.gnutls_global_set_log_function
736
global_set_log_function.argtypes = [log_func]
737
global_set_log_function.restype = None
738
739
deinit = _library.gnutls_deinit
740
deinit.argtypes = [session_t]
741
deinit.restype = None
742
743
handshake = _library.gnutls_handshake
744
handshake.argtypes = [session_t]
745
handshake.restype = _error_code
746
handshake.errcheck = _retry_on_error
747
748
transport_set_ptr = _library.gnutls_transport_set_ptr
749
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
750
transport_set_ptr.restype = None
751
752
bye = _library.gnutls_bye
753
bye.argtypes = [session_t, close_request_t]
754
bye.restype = _error_code
755
bye.errcheck = _retry_on_error
756
757
check_version = _library.gnutls_check_version
758
check_version.argtypes = [ctypes.c_char_p]
759
check_version.restype = ctypes.c_char_p
760
761
_need_version = b"3.3.0"
762
if check_version(_need_version) is None:
763
raise self.Error("Needs GnuTLS {} or later"
764
.format(_need_version))
765
766
_tls_rawpk_version = b"3.6.6"
767
has_rawpk = bool(check_version(_tls_rawpk_version))
768
769
if has_rawpk:
770
# Types
771
class pubkey_st(ctypes.Structure):
772
_fields = []
773
pubkey_t = ctypes.POINTER(pubkey_st)
774
775
x509_crt_fmt_t = ctypes.c_int
776
777
# All the function declarations below are from gnutls/abstract.h
778
pubkey_init = _library.gnutls_pubkey_init
779
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
780
pubkey_init.restype = _error_code
781
782
pubkey_import = _library.gnutls_pubkey_import
783
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
784
x509_crt_fmt_t]
785
pubkey_import.restype = _error_code
786
787
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
788
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
789
ctypes.POINTER(ctypes.c_ubyte),
790
ctypes.POINTER(ctypes.c_size_t)]
791
pubkey_get_key_id.restype = _error_code
792
793
pubkey_deinit = _library.gnutls_pubkey_deinit
794
pubkey_deinit.argtypes = [pubkey_t]
795
pubkey_deinit.restype = None
796
else:
797
# All the function declarations below are from gnutls/openpgp.h
798
799
openpgp_crt_init = _library.gnutls_openpgp_crt_init
800
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
801
openpgp_crt_init.restype = _error_code
802
803
openpgp_crt_import = _library.gnutls_openpgp_crt_import
804
openpgp_crt_import.argtypes = [openpgp_crt_t,
805
ctypes.POINTER(datum_t),
806
openpgp_crt_fmt_t]
807
openpgp_crt_import.restype = _error_code
808
809
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
810
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
811
ctypes.POINTER(ctypes.c_uint)]
812
openpgp_crt_verify_self.restype = _error_code
813
814
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
815
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
816
openpgp_crt_deinit.restype = None
817
818
openpgp_crt_get_fingerprint = (
819
_library.gnutls_openpgp_crt_get_fingerprint)
820
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
821
ctypes.c_void_p,
822
ctypes.POINTER(
823
ctypes.c_size_t)]
824
openpgp_crt_get_fingerprint.restype = _error_code
825
826
if check_version(b"3.6.4"):
827
certificate_type_get2 = _library.gnutls_certificate_type_get2
828
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
829
certificate_type_get2.restype = _error_code
830
831
# Remove non-public functions
832
del _error_code, _retry_on_error
833
834
835
437
def call_pipe(connection, # : multiprocessing.Connection
836
438
func, *args, **kwargs):
837
439
"""This function is meant to be called by multiprocessing.Process
838
440
839
441
This function runs func(*args, **kwargs), and writes the resulting
840
442
return value on the provided multiprocessing.Connection.
841
443
"""
842
444
connection.send(func(*args, **kwargs))
843
445
connection.close()
844
446
845
846
class Client:
447
class Client(object):
847
448
"""A representation of a client host served by this server.
848
449
849
450
Attributes:
850
451
approved: bool(); 'None' if not yet approved/disapproved
851
452
approval_delay: datetime.timedelta(); Time to wait for approval
852
453
approval_duration: datetime.timedelta(); Duration of one approval
853
checker: multiprocessing.Process(); a running checker process used
854
to see if the client lives. 'None' if no process is
855
running.
856
checker_callback_tag: a GLib event source tag, or None
454
checker: subprocess.Popen(); a running checker process used
455
to see if the client lives.
456
'None' if no process is running.
457
checker_callback_tag: a gobject event source tag, or None
857
458
checker_command: string; External command which is run to check
858
459
if client lives. %() expansions are done at
859
460
runtime with vars(self) as dict, so that for
860
461
instance %(name)s can be used in the command.
861
checker_initiator_tag: a GLib event source tag, or None
462
checker_initiator_tag: a gobject event source tag, or None
862
463
created: datetime.datetime(); (UTC) object creation
863
464
client_structure: Object describing what attributes a client has
864
465
and is used for storing the client at exit
865
466
current_checker_command: string; current running checker_command
866
disable_initiator_tag: a GLib event source tag, or None
467
disable_initiator_tag: a gobject event source tag, or None
867
468
enabled: bool()
868
469
fingerprint: string (40 or 32 hexadecimal digits); used to
869
uniquely identify an OpenPGP client
870
key_id: string (64 hexadecimal digits); used to uniquely identify
871
a client using raw public keys
470
uniquely identify the client
872
471
host: string; available for use by the checker command
873
472
interval: datetime.timedelta(); How often to start a new checker
874
473
last_approval_request: datetime.datetime(); (UTC) or None
890
489
disabled, or None
891
490
server_settings: The server_settings dict from main()
892
491
"""
893
492
894
493
runtime_expansions = ("approval_delay", "approval_duration",
895
"created", "enabled", "expires", "key_id",
494
"created", "enabled", "expires",
896
495
"fingerprint", "host", "interval",
897
496
"last_approval_request", "last_checked_ok",
898
497
"last_enabled", "name", "timeout")
907
506
"approved_by_default": "True",
908
507
"enabled": "True",
909
508
}
910
509
911
510
@staticmethod
912
511
def config_parser(config):
913
512
"""Construct a new dict of client settings of this form:
920
519
for client_name in config.sections():
921
520
section = dict(config.items(client_name))
922
521
client = settings[client_name] = {}
923
522
924
523
client["host"] = section["host"]
925
524
# Reformat values from string types to Python types
926
525
client["approved_by_default"] = config.getboolean(
927
526
client_name, "approved_by_default")
928
527
client["enabled"] = config.getboolean(client_name,
929
528
"enabled")
930
931
# Uppercase and remove spaces from key_id and fingerprint
932
# for later comparison purposes with return value from the
933
# key_id() and fingerprint() functions
934
client["key_id"] = (section.get("key_id", "").upper()
935
.replace(" ", ""))
529
530
# Uppercase and remove spaces from fingerprint for later
531
# comparison purposes with return value from the
532
# fingerprint() function
936
533
client["fingerprint"] = (section["fingerprint"].upper()
937
534
.replace(" ", ""))
938
535
if "secret" in section:
939
client["secret"] = codecs.decode(section["secret"]
940
.encode("utf-8"),
941
"base64")
536
client["secret"] = section["secret"].decode("base64")
942
537
elif "secfile" in section:
943
538
with open(os.path.expanduser(os.path.expandvars
944
539
(section["secfile"])),
959
554
client["last_approval_request"] = None
960
555
client["last_checked_ok"] = None
961
556
client["last_checker_status"] = -2
962
557
963
558
return settings
964
965
def __init__(self, settings, name=None, server_settings=None):
559
560
def __init__(self, settings, name = None, server_settings=None):
966
561
self.name = name
967
562
if server_settings is None:
968
563
server_settings = {}
970
565
# adding all client settings
971
566
for setting, value in settings.items():
972
567
setattr(self, setting, value)
973
568
974
569
if self.enabled:
975
570
if not hasattr(self, "last_enabled"):
976
571
self.last_enabled = datetime.datetime.utcnow()
980
575
else:
981
576
self.last_enabled = None
982
577
self.expires = None
983
578
984
579
logger.debug("Creating client %r", self.name)
985
logger.debug(" Key ID: %s", self.key_id)
986
580
logger.debug(" Fingerprint: %s", self.fingerprint)
987
581
self.created = settings.get("created",
988
582
datetime.datetime.utcnow())
989
583
990
584
# attributes specific for this server instance
991
585
self.checker = None
992
586
self.checker_initiator_tag = None
998
592
self.changedstate = multiprocessing_manager.Condition(
999
593
multiprocessing_manager.Lock())
1000
594
self.client_structure = [attr
1001
for attr in self.__dict__.keys()
595
for attr in self.__dict__.iterkeys()
1002
596
if not attr.startswith("_")]
1003
597
self.client_structure.append("client_structure")
1004
598
1005
599
for name, t in inspect.getmembers(
1006
600
type(self), lambda obj: isinstance(obj, property)):
1007
601
if not name.startswith("_"):
1008
602
self.client_structure.append(name)
1009
603
1010
604
# Send notice to process children that client state has changed
1011
605
def send_changedstate(self):
1012
606
with self.changedstate:
1013
607
self.changedstate.notify_all()
1014
608
1015
609
def enable(self):
1016
610
"""Start this client's checker and timeout hooks"""
1017
611
if getattr(self, "enabled", False):
1022
616
self.last_enabled = datetime.datetime.utcnow()
1023
617
self.init_checker()
1024
618
self.send_changedstate()
1025
619
1026
620
def disable(self, quiet=True):
1027
621
"""Disable this client."""
1028
622
if not getattr(self, "enabled", False):
1030
624
if not quiet:
1031
625
logger.info("Disabling client %s", self.name)
1032
626
if getattr(self, "disable_initiator_tag", None) is not None:
1033
GLib.source_remove(self.disable_initiator_tag)
627
gobject.source_remove(self.disable_initiator_tag)
1034
628
self.disable_initiator_tag = None
1035
629
self.expires = None
1036
630
if getattr(self, "checker_initiator_tag", None) is not None:
1037
GLib.source_remove(self.checker_initiator_tag)
631
gobject.source_remove(self.checker_initiator_tag)
1038
632
self.checker_initiator_tag = None
1039
633
self.stop_checker()
1040
634
self.enabled = False
1041
635
if not quiet:
1042
636
self.send_changedstate()
1043
# Do not run this again if called by a GLib.timeout_add
637
# Do not run this again if called by a gobject.timeout_add
1044
638
return False
1045
639
1046
640
def __del__(self):
1047
641
self.disable()
1048
642
1049
643
def init_checker(self):
1050
644
# Schedule a new checker to be started an 'interval' from now,
1051
645
# and every interval from then on.
1052
646
if self.checker_initiator_tag is not None:
1053
GLib.source_remove(self.checker_initiator_tag)
1054
self.checker_initiator_tag = GLib.timeout_add(
1055
random.randrange(int(self.interval.total_seconds() * 1000
1056
+ 1)),
647
gobject.source_remove(self.checker_initiator_tag)
648
self.checker_initiator_tag = gobject.timeout_add(
649
int(self.interval.total_seconds() * 1000),
1057
650
self.start_checker)
1058
651
# Schedule a disable() when 'timeout' has passed
1059
652
if self.disable_initiator_tag is not None:
1060
GLib.source_remove(self.disable_initiator_tag)
1061
self.disable_initiator_tag = GLib.timeout_add(
653
gobject.source_remove(self.disable_initiator_tag)
654
self.disable_initiator_tag = gobject.timeout_add(
1062
655
int(self.timeout.total_seconds() * 1000), self.disable)
1063
656
# Also start a new checker *right now*.
1064
657
self.start_checker()
1065
658
1066
659
def checker_callback(self, source, condition, connection,
1067
660
command):
1068
661
"""The checker has completed, so take appropriate actions."""
662
self.checker_callback_tag = None
663
self.checker = None
1069
664
# Read return code from connection (see call_pipe)
1070
665
returncode = connection.recv()
1071
666
connection.close()
1072
if self.checker is not None:
1073
self.checker.join()
1074
self.checker_callback_tag = None
1075
self.checker = None
1076
667
1077
668
if returncode >= 0:
1078
669
self.last_checker_status = returncode
1079
670
self.last_checker_signal = None
1089
680
logger.warning("Checker for %(name)s crashed?",
1090
681
vars(self))
1091
682
return False
1092
683
1093
684
def checked_ok(self):
1094
685
"""Assert that the client has been seen, alive and well."""
1095
686
self.last_checked_ok = datetime.datetime.utcnow()
1096
687
self.last_checker_status = 0
1097
688
self.last_checker_signal = None
1098
689
self.bump_timeout()
1099
690
1100
691
def bump_timeout(self, timeout=None):
1101
692
"""Bump up the timeout for this client."""
1102
693
if timeout is None:
1103
694
timeout = self.timeout
1104
695
if self.disable_initiator_tag is not None:
1105
GLib.source_remove(self.disable_initiator_tag)
696
gobject.source_remove(self.disable_initiator_tag)
1106
697
self.disable_initiator_tag = None
1107
698
if getattr(self, "enabled", False):
1108
self.disable_initiator_tag = GLib.timeout_add(
699
self.disable_initiator_tag = gobject.timeout_add(
1109
700
int(timeout.total_seconds() * 1000), self.disable)
1110
701
self.expires = datetime.datetime.utcnow() + timeout
1111
702
1112
703
def need_approval(self):
1113
704
self.last_approval_request = datetime.datetime.utcnow()
1114
705
1115
706
def start_checker(self):
1116
707
"""Start a new checker subprocess if one is not running.
1117
708
1118
709
If a checker already exists, leave it running and do
1119
710
nothing."""
1120
711
# The reason for not killing a running checker is that if we
1125
716
# checkers alone, the checker would have to take more time
1126
717
# than 'timeout' for the client to be disabled, which is as it
1127
718
# should be.
1128
719
1129
720
if self.checker is not None and not self.checker.is_alive():
1130
721
logger.warning("Checker was not alive; joining")
1131
722
self.checker.join()
1134
725
if self.checker is None:
1135
726
# Escape attributes for the shell
1136
727
escaped_attrs = {
1137
attr: shlex.quote(str(getattr(self, attr)))
1138
for attr in self.runtime_expansions}
728
attr: re.escape(str(getattr(self, attr)))
729
for attr in self.runtime_expansions }
1139
730
try:
1140
731
command = self.checker_command % escaped_attrs
1141
732
except TypeError as error:
1153
744
# The exception is when not debugging but nevertheless
1154
745
# running in the foreground; use the previously
1155
746
# created wnull.
1156
popen_args = {"close_fds": True,
1157
"shell": True,
1158
"cwd": "/"}
747
popen_args = { "close_fds": True,
748
"shell": True,
749
"cwd": "/" }
1159
750
if (not self.server_settings["debug"]
1160
751
and self.server_settings["foreground"]):
1161
752
popen_args.update({"stdout": wnull,
1162
"stderr": wnull})
1163
pipe = multiprocessing.Pipe(duplex=False)
753
"stderr": wnull })
754
pipe = multiprocessing.Pipe(duplex = False)
1164
755
self.checker = multiprocessing.Process(
1165
target=call_pipe,
1166
args=(pipe[1], subprocess.call, command),
1167
kwargs=popen_args)
756
target = call_pipe,
757
args = (pipe[1], subprocess.call, command),
758
kwargs = popen_args)
1168
759
self.checker.start()
1169
self.checker_callback_tag = GLib.io_add_watch(
1170
GLib.IOChannel.unix_new(pipe[0].fileno()),
1171
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
760
self.checker_callback_tag = gobject.io_add_watch(
761
pipe[0].fileno(), gobject.IO_IN,
1172
762
self.checker_callback, pipe[0], command)
1173
# Re-run this periodically if run by GLib.timeout_add
763
# Re-run this periodically if run by gobject.timeout_add
1174
764
return True
1175
765
1176
766
def stop_checker(self):
1177
767
"""Force the checker process, if any, to stop."""
1178
768
if self.checker_callback_tag:
1179
GLib.source_remove(self.checker_callback_tag)
769
gobject.source_remove(self.checker_callback_tag)
1180
770
self.checker_callback_tag = None
1181
771
if getattr(self, "checker", None) is None:
1182
772
return
1191
781
byte_arrays=False):
1192
782
"""Decorators for marking methods of a DBusObjectWithProperties to
1193
783
become properties on the D-Bus.
1194
784
1195
785
The decorated method will be called with no arguments by "Get"
1196
786
and with one argument by "Set".
1197
787
1198
788
The parameters, where they are supported, are the same as
1199
789
dbus.service.method, except there is only "signature", since the
1200
790
type from Get() and the type sent to Set() is the same.
1204
794
if byte_arrays and signature != "ay":
1205
795
raise ValueError("Byte arrays not supported for non-'ay'"
1206
796
" signature {!r}".format(signature))
1207
797
1208
798
def decorator(func):
1209
799
func._dbus_is_property = True
1210
800
func._dbus_interface = dbus_interface
1213
803
func._dbus_name = func.__name__
1214
804
if func._dbus_name.endswith("_dbus_property"):
1215
805
func._dbus_name = func._dbus_name[:-14]
1216
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
806
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1217
807
return func
1218
808
1219
809
return decorator
1220
810
1221
811
1222
812
def dbus_interface_annotations(dbus_interface):
1223
813
"""Decorator for marking functions returning interface annotations
1224
814
1225
815
Usage:
1226
816
1227
817
@dbus_interface_annotations("org.example.Interface")
1228
818
def _foo(self): # Function name does not matter
1229
819
return {"org.freedesktop.DBus.Deprecated": "true",
1230
820
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1231
821
"false"}
1232
822
"""
1233
823
1234
824
def decorator(func):
1235
825
func._dbus_is_interface = True
1236
826
func._dbus_interface = dbus_interface
1237
827
func._dbus_name = dbus_interface
1238
828
return func
1239
829
1240
830
return decorator
1241
831
1242
832
1243
833
def dbus_annotations(annotations):
1244
834
"""Decorator to annotate D-Bus methods, signals or properties
1245
835
Usage:
1246
836
1247
837
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1248
838
"org.freedesktop.DBus.Property."
1249
839
"EmitsChangedSignal": "false"})
1251
841
access="r")
1252
842
def Property_dbus_property(self):
1253
843
return dbus.Boolean(False)
1254
844
1255
845
See also the DBusObjectWithAnnotations class.
1256
846
"""
1257
847
1258
848
def decorator(func):
1259
849
func._dbus_annotations = annotations
1260
850
return func
1261
851
1262
852
return decorator
1263
853
1264
854
1282
872
1283
873
class DBusObjectWithAnnotations(dbus.service.Object):
1284
874
"""A D-Bus object with annotations.
1285
875
1286
876
Classes inheriting from this can use the dbus_annotations
1287
877
decorator to add annotations to methods or signals.
1288
878
"""
1289
879
1290
880
@staticmethod
1291
881
def _is_dbus_thing(thing):
1292
882
"""Returns a function testing if an attribute is a D-Bus thing
1293
883
1294
884
If called like _is_dbus_thing("method") it returns a function
1295
885
suitable for use as predicate to inspect.getmembers().
1296
886
"""
1297
887
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1298
888
False)
1299
889
1300
890
def _get_all_dbus_things(self, thing):
1301
891
"""Returns a generator of (name, attribute) pairs
1302
892
"""
1305
895
for cls in self.__class__.__mro__
1306
896
for name, athing in
1307
897
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1308
898
1309
899
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1310
out_signature="s",
1311
path_keyword='object_path',
1312
connection_keyword='connection')
900
out_signature = "s",
901
path_keyword = 'object_path',
902
connection_keyword = 'connection')
1313
903
def Introspect(self, object_path, connection):
1314
904
"""Overloading of standard D-Bus method.
1315
905
1316
906
Inserts annotation tags on methods and signals.
1317
907
"""
1318
908
xmlstring = dbus.service.Object.Introspect(self, object_path,
1319
909
connection)
1320
910
try:
1321
911
document = xml.dom.minidom.parseString(xmlstring)
1322
912
1323
913
for if_tag in document.getElementsByTagName("interface"):
1324
914
# Add annotation tags
1325
915
for typ in ("method", "signal"):
1352
942
if_tag.appendChild(ann_tag)
1353
943
# Fix argument name for the Introspect method itself
1354
944
if (if_tag.getAttribute("name")
1355
== dbus.INTROSPECTABLE_IFACE):
945
== dbus.INTROSPECTABLE_IFACE):
1356
946
for cn in if_tag.getElementsByTagName("method"):
1357
947
if cn.getAttribute("name") == "Introspect":
1358
948
for arg in cn.getElementsByTagName("arg"):
1371
961
1372
962
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1373
963
"""A D-Bus object with properties.
1374
964
1375
965
Classes inheriting from this can use the dbus_service_property
1376
966
decorator to expose methods as D-Bus properties. It exposes the
1377
967
standard Get(), Set(), and GetAll() methods on the D-Bus.
1378
968
"""
1379
969
1380
970
def _get_dbus_property(self, interface_name, property_name):
1381
971
"""Returns a bound method if one exists which is a D-Bus
1382
972
property with the specified name and interface.
1387
977
if (value._dbus_name == property_name
1388
978
and value._dbus_interface == interface_name):
1389
979
return value.__get__(self)
1390
980
1391
981
# No such property
1392
982
raise DBusPropertyNotFound("{}:{}.{}".format(
1393
983
self.dbus_object_path, interface_name, property_name))
1394
984
1395
985
@classmethod
1396
986
def _get_all_interface_names(cls):
1397
987
"""Get a sequence of all interfaces supported by an object"""
1400
990
for x in (inspect.getmro(cls))
1401
991
for attr in dir(x))
1402
992
if name is not None)
1403
993
1404
994
@dbus.service.method(dbus.PROPERTIES_IFACE,
1405
995
in_signature="ss",
1406
996
out_signature="v")
1414
1004
if not hasattr(value, "variant_level"):
1415
1005
return value
1416
1006
return type(value)(value, variant_level=value.variant_level+1)
1417
1007
1418
1008
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1419
1009
def Set(self, interface_name, property_name, value):
1420
1010
"""Standard D-Bus property Set() method, see D-Bus standard.
1429
1019
raise ValueError("Byte arrays not supported for non-"
1430
1020
"'ay' signature {!r}"
1431
1021
.format(prop._dbus_signature))
1432
value = dbus.ByteArray(bytes(value))
1022
value = dbus.ByteArray(b''.join(chr(byte)
1023
for byte in value))
1433
1024
prop(value)
1434
1025
1435
1026
@dbus.service.method(dbus.PROPERTIES_IFACE,
1436
1027
in_signature="s",
1437
1028
out_signature="a{sv}")
1438
1029
def GetAll(self, interface_name):
1439
1030
"""Standard D-Bus property GetAll() method, see D-Bus
1440
1031
standard.
1441
1032
1442
1033
Note: Will not include properties with access="write".
1443
1034
"""
1444
1035
properties = {}
1455
1046
properties[name] = value
1456
1047
continue
1457
1048
properties[name] = type(value)(
1458
value, variant_level=value.variant_level + 1)
1049
value, variant_level = value.variant_level + 1)
1459
1050
return dbus.Dictionary(properties, signature="sv")
1460
1051
1461
1052
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1462
1053
def PropertiesChanged(self, interface_name, changed_properties,
1463
1054
invalidated_properties):
1465
1056
standard.
1466
1057
"""
1467
1058
pass
1468
1059
1469
1060
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1470
1061
out_signature="s",
1471
1062
path_keyword='object_path',
1472
1063
connection_keyword='connection')
1473
1064
def Introspect(self, object_path, connection):
1474
1065
"""Overloading of standard D-Bus method.
1475
1066
1476
1067
Inserts property tags and interface annotation tags.
1477
1068
"""
1478
1069
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1480
1071
connection)
1481
1072
try:
1482
1073
document = xml.dom.minidom.parseString(xmlstring)
1483
1074
1484
1075
def make_tag(document, name, prop):
1485
1076
e = document.createElement("property")
1486
1077
e.setAttribute("name", name)
1487
1078
e.setAttribute("type", prop._dbus_signature)
1488
1079
e.setAttribute("access", prop._dbus_access)
1489
1080
return e
1490
1081
1491
1082
for if_tag in document.getElementsByTagName("interface"):
1492
1083
# Add property tags
1493
1084
for tag in (make_tag(document, name, prop)
1535
1126
exc_info=error)
1536
1127
return xmlstring
1537
1128
1538
1539
1129
try:
1540
1130
dbus.OBJECT_MANAGER_IFACE
1541
1131
except AttributeError:
1542
1132
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1543
1133
1544
1545
1134
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1546
1135
"""A D-Bus object with an ObjectManager.
1547
1136
1548
1137
Classes inheriting from this exposes the standard
1549
1138
GetManagedObjects call and the InterfacesAdded and
1550
1139
InterfacesRemoved signals on the standard
1551
1140
"org.freedesktop.DBus.ObjectManager" interface.
1552
1141
1553
1142
Note: No signals are sent automatically; they must be sent
1554
1143
manually.
1555
1144
"""
1556
1145
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1557
out_signature="a{oa{sa{sv}}}")
1146
out_signature = "a{oa{sa{sv}}}")
1558
1147
def GetManagedObjects(self):
1559
1148
"""This function must be overridden"""
1560
1149
raise NotImplementedError()
1561
1150
1562
1151
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1563
signature="oa{sa{sv}}")
1152
signature = "oa{sa{sv}}")
1564
1153
def InterfacesAdded(self, object_path, interfaces_and_properties):
1565
1154
pass
1566
1567
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1155
1156
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1568
1157
def InterfacesRemoved(self, object_path, interfaces):
1569
1158
pass
1570
1159
1571
1160
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1572
out_signature="s",
1573
path_keyword='object_path',
1574
connection_keyword='connection')
1161
out_signature = "s",
1162
path_keyword = 'object_path',
1163
connection_keyword = 'connection')
1575
1164
def Introspect(self, object_path, connection):
1576
1165
"""Overloading of standard D-Bus method.
1577
1166
1578
1167
Override return argument name of GetManagedObjects to be
1579
1168
"objpath_interfaces_and_properties"
1580
1169
"""
1583
1172
connection)
1584
1173
try:
1585
1174
document = xml.dom.minidom.parseString(xmlstring)
1586
1175
1587
1176
for if_tag in document.getElementsByTagName("interface"):
1588
1177
# Fix argument name for the GetManagedObjects method
1589
1178
if (if_tag.getAttribute("name")
1590
== dbus.OBJECT_MANAGER_IFACE):
1179
== dbus.OBJECT_MANAGER_IFACE):
1591
1180
for cn in if_tag.getElementsByTagName("method"):
1592
1181
if (cn.getAttribute("name")
1593
1182
== "GetManagedObjects"):
1603
1192
except (AttributeError, xml.dom.DOMException,
1604
1193
xml.parsers.expat.ExpatError) as error:
1605
1194
logger.error("Failed to override Introspection method",
1606
exc_info=error)
1195
exc_info = error)
1607
1196
return xmlstring
1608
1197
1609
1610
1198
def datetime_to_dbus(dt, variant_level=0):
1611
1199
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1612
1200
if dt is None:
1613
return dbus.String("", variant_level=variant_level)
1201
return dbus.String("", variant_level = variant_level)
1614
1202
return dbus.String(dt.isoformat(), variant_level=variant_level)
1615
1203
1616
1204
1619
1207
dbus.service.Object, it will add alternate D-Bus attributes with
1620
1208
interface names according to the "alt_interface_names" mapping.
1621
1209
Usage:
1622
1210
1623
1211
@alternate_dbus_interfaces({"org.example.Interface":
1624
1212
"net.example.AlternateInterface"})
1625
1213
class SampleDBusObject(dbus.service.Object):
1626
1214
@dbus.service.method("org.example.Interface")
1627
1215
def SampleDBusMethod():
1628
1216
pass
1629
1217
1630
1218
The above "SampleDBusMethod" on "SampleDBusObject" will be
1631
1219
reachable via two interfaces: "org.example.Interface" and
1632
1220
"net.example.AlternateInterface", the latter of which will have
1633
1221
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1634
1222
"true", unless "deprecate" is passed with a False value.
1635
1223
1636
1224
This works for methods and signals, and also for D-Bus properties
1637
1225
(from DBusObjectWithProperties) and interfaces (from the
1638
1226
dbus_interface_annotations decorator).
1639
1227
"""
1640
1228
1641
1229
def wrapper(cls):
1642
1230
for orig_interface_name, alt_interface_name in (
1643
1231
alt_interface_names.items()):
1658
1246
interface_names.add(alt_interface)
1659
1247
# Is this a D-Bus signal?
1660
1248
if getattr(attribute, "_dbus_is_signal", False):
1661
# Extract the original non-method undecorated
1662
# function by black magic
1663
1249
if sys.version_info.major == 2:
1250
# Extract the original non-method undecorated
1251
# function by black magic
1664
1252
nonmethod_func = (dict(
1665
1253
zip(attribute.func_code.co_freevars,
1666
1254
attribute.__closure__))
1667
1255
["func"].cell_contents)
1668
1256
else:
1669
nonmethod_func = (dict(
1670
zip(attribute.__code__.co_freevars,
1671
attribute.__closure__))
1672
["func"].cell_contents)
1257
nonmethod_func = attribute
1673
1258
# Create a new, but exactly alike, function
1674
1259
# object, and decorate it to be a new D-Bus signal
1675
1260
# with the alternate D-Bus interface name
1676
new_function = copy_function(nonmethod_func)
1261
if sys.version_info.major == 2:
1262
new_function = types.FunctionType(
1263
nonmethod_func.func_code,
1264
nonmethod_func.func_globals,
1265
nonmethod_func.func_name,
1266
nonmethod_func.func_defaults,
1267
nonmethod_func.func_closure)
1268
else:
1269
new_function = types.FunctionType(
1270
nonmethod_func.__code__,
1271
nonmethod_func.__globals__,
1272
nonmethod_func.__name__,
1273
nonmethod_func.__defaults__,
1274
nonmethod_func.__closure__)
1677
1275
new_function = (dbus.service.signal(
1678
1276
alt_interface,
1679
1277
attribute._dbus_signature)(new_function))
1683
1281
attribute._dbus_annotations)
1684
1282
except AttributeError:
1685
1283
pass
1686
1687
1284
# Define a creator of a function to call both the
1688
1285
# original and alternate functions, so both the
1689
1286
# original and alternate signals gets sent when
1692
1289
"""This function is a scope container to pass
1693
1290
func1 and func2 to the "call_both" function
1694
1291
outside of its arguments"""
1695
1292
1696
1293
@functools.wraps(func2)
1697
1294
def call_both(*args, **kwargs):
1698
1295
"""This function will emit two D-Bus
1699
1296
signals by calling func1 and func2"""
1700
1297
func1(*args, **kwargs)
1701
1298
func2(*args, **kwargs)
1702
# Make wrapper function look like a D-Bus
1703
# signal
1299
# Make wrapper function look like a D-Bus signal
1704
1300
for name, attr in inspect.getmembers(func2):
1705
1301
if name.startswith("_dbus_"):
1706
1302
setattr(call_both, name, attr)
1707
1303
1708
1304
return call_both
1709
1305
# Create the "call_both" function and add it to
1710
1306
# the class
1720
1316
alt_interface,
1721
1317
attribute._dbus_in_signature,
1722
1318
attribute._dbus_out_signature)
1723
(copy_function(attribute)))
1319
(types.FunctionType(attribute.func_code,
1320
attribute.func_globals,
1321
attribute.func_name,
1322
attribute.func_defaults,
1323
attribute.func_closure)))
1724
1324
# Copy annotations, if any
1725
1325
try:
1726
1326
attr[attrname]._dbus_annotations = dict(
1738
1338
attribute._dbus_access,
1739
1339
attribute._dbus_get_args_options
1740
1340
["byte_arrays"])
1741
(copy_function(attribute)))
1341
(types.FunctionType(
1342
attribute.func_code,
1343
attribute.func_globals,
1344
attribute.func_name,
1345
attribute.func_defaults,
1346
attribute.func_closure)))
1742
1347
# Copy annotations, if any
1743
1348
try:
1744
1349
attr[attrname]._dbus_annotations = dict(
1753
1358
# to the class.
1754
1359
attr[attrname] = (
1755
1360
dbus_interface_annotations(alt_interface)
1756
(copy_function(attribute)))
1361
(types.FunctionType(attribute.func_code,
1362
attribute.func_globals,
1363
attribute.func_name,
1364
attribute.func_defaults,
1365
attribute.func_closure)))
1757
1366
if deprecate:
1758
1367
# Deprecate all alternate interfaces
1759
iname = "_AlternateDBusNames_interface_annotation{}"
1368
iname="_AlternateDBusNames_interface_annotation{}"
1760
1369
for interface_name in interface_names:
1761
1370
1762
1371
@dbus_interface_annotations(interface_name)
1763
1372
def func(self):
1764
return {"org.freedesktop.DBus.Deprecated":
1765
"true"}
1373
return { "org.freedesktop.DBus.Deprecated":
1374
"true" }
1766
1375
# Find an unused name
1767
1376
for aname in (iname.format(i)
1768
1377
for i in itertools.count()):
1772
1381
if interface_names:
1773
1382
# Replace the class with a new subclass of it with
1774
1383
# methods, signals, etc. as created above.
1775
if sys.version_info.major == 2:
1776
cls = type(b"{}Alternate".format(cls.__name__),
1777
(cls, ), attr)
1778
else:
1779
cls = type("{}Alternate".format(cls.__name__),
1780
(cls, ), attr)
1384
cls = type(b"{}Alternate".format(cls.__name__),
1385
(cls, ), attr)
1781
1386
return cls
1782
1387
1783
1388
return wrapper
1784
1389
1785
1390
1787
1392
"se.bsnet.fukt.Mandos"})
1788
1393
class ClientDBus(Client, DBusObjectWithProperties):
1789
1394
"""A Client class using D-Bus
1790
1395
1791
1396
Attributes:
1792
1397
dbus_object_path: dbus.ObjectPath
1793
1398
bus: dbus.SystemBus()
1794
1399
"""
1795
1400
1796
1401
runtime_expansions = (Client.runtime_expansions
1797
1402
+ ("dbus_object_path", ))
1798
1403
1799
1404
_interface = "se.recompile.Mandos.Client"
1800
1405
1801
1406
# dbus.service.Object doesn't use super(), so we can't either.
1802
1803
def __init__(self, bus=None, *args, **kwargs):
1407
1408
def __init__(self, bus = None, *args, **kwargs):
1804
1409
self.bus = bus
1805
1410
Client.__init__(self, *args, **kwargs)
1806
1411
# Only now, when this client is initialized, can it show up on
1812
1417
"/clients/" + client_object_name)
1813
1418
DBusObjectWithProperties.__init__(self, self.bus,
1814
1419
self.dbus_object_path)
1815
1420
1816
1421
def notifychangeproperty(transform_func, dbus_name,
1817
1422
type_func=lambda x: x,
1818
1423
variant_level=1,
1820
1425
_interface=_interface):
1821
1426
""" Modify a variable so that it's a property which announces
1822
1427
its changes to DBus.
1823
1428
1824
1429
transform_fun: Function that takes a value and a variant_level
1825
1430
and transforms it to a D-Bus type.
1826
1431
dbus_name: D-Bus name of the variable
1829
1434
variant_level: D-Bus variant level. Default: 1
1830
1435
"""
1831
1436
attrname = "_{}".format(dbus_name)
1832
1437
1833
1438
def setter(self, value):
1834
1439
if hasattr(self, "dbus_object_path"):
1835
1440
if (not hasattr(self, attrname) or
1842
1447
else:
1843
1448
dbus_value = transform_func(
1844
1449
type_func(value),
1845
variant_level=variant_level)
1450
variant_level = variant_level)
1846
1451
self.PropertyChanged(dbus.String(dbus_name),
1847
1452
dbus_value)
1848
1453
self.PropertiesChanged(
1849
1454
_interface,
1850
dbus.Dictionary({dbus.String(dbus_name):
1851
dbus_value}),
1455
dbus.Dictionary({ dbus.String(dbus_name):
1456
dbus_value }),
1852
1457
dbus.Array())
1853
1458
setattr(self, attrname, value)
1854
1459
1855
1460
return property(lambda self: getattr(self, attrname), setter)
1856
1461
1857
1462
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1858
1463
approvals_pending = notifychangeproperty(dbus.Boolean,
1859
1464
"ApprovalPending",
1860
type_func=bool)
1465
type_func = bool)
1861
1466
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1862
1467
last_enabled = notifychangeproperty(datetime_to_dbus,
1863
1468
"LastEnabled")
1864
1469
checker = notifychangeproperty(
1865
1470
dbus.Boolean, "CheckerRunning",
1866
type_func=lambda checker: checker is not None)
1471
type_func = lambda checker: checker is not None)
1867
1472
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1868
1473
"LastCheckedOK")
1869
1474
last_checker_status = notifychangeproperty(dbus.Int16,
1874
1479
"ApprovedByDefault")
1875
1480
approval_delay = notifychangeproperty(
1876
1481
dbus.UInt64, "ApprovalDelay",
1877
type_func=lambda td: td.total_seconds() * 1000)
1482
type_func = lambda td: td.total_seconds() * 1000)
1878
1483
approval_duration = notifychangeproperty(
1879
1484
dbus.UInt64, "ApprovalDuration",
1880
type_func=lambda td: td.total_seconds() * 1000)
1485
type_func = lambda td: td.total_seconds() * 1000)
1881
1486
host = notifychangeproperty(dbus.String, "Host")
1882
1487
timeout = notifychangeproperty(
1883
1488
dbus.UInt64, "Timeout",
1884
type_func=lambda td: td.total_seconds() * 1000)
1489
type_func = lambda td: td.total_seconds() * 1000)
1885
1490
extended_timeout = notifychangeproperty(
1886
1491
dbus.UInt64, "ExtendedTimeout",
1887
type_func=lambda td: td.total_seconds() * 1000)
1492
type_func = lambda td: td.total_seconds() * 1000)
1888
1493
interval = notifychangeproperty(
1889
1494
dbus.UInt64, "Interval",
1890
type_func=lambda td: td.total_seconds() * 1000)
1495
type_func = lambda td: td.total_seconds() * 1000)
1891
1496
checker_command = notifychangeproperty(dbus.String, "Checker")
1892
1497
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1893
1498
invalidate_only=True)
1894
1499
1895
1500
del notifychangeproperty
1896
1501
1897
1502
def __del__(self, *args, **kwargs):
1898
1503
try:
1899
1504
self.remove_from_connection()
1902
1507
if hasattr(DBusObjectWithProperties, "__del__"):
1903
1508
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1904
1509
Client.__del__(self, *args, **kwargs)
1905
1510
1906
1511
def checker_callback(self, source, condition,
1907
1512
connection, command, *args, **kwargs):
1908
1513
ret = Client.checker_callback(self, source, condition,
1924
1529
| self.last_checker_signal),
1925
1530
dbus.String(command))
1926
1531
return ret
1927
1532
1928
1533
def start_checker(self, *args, **kwargs):
1929
1534
old_checker_pid = getattr(self.checker, "pid", None)
1930
1535
r = Client.start_checker(self, *args, **kwargs)
1934
1539
# Emit D-Bus signal
1935
1540
self.CheckerStarted(self.current_checker_command)
1936
1541
return r
1937
1542
1938
1543
def _reset_approved(self):
1939
1544
self.approved = None
1940
1545
return False
1941
1546
1942
1547
def approve(self, value=True):
1943
1548
self.approved = value
1944
GLib.timeout_add(int(self.approval_duration.total_seconds()
1945
* 1000), self._reset_approved)
1549
gobject.timeout_add(int(self.approval_duration.total_seconds()
1550
* 1000), self._reset_approved)
1946
1551
self.send_changedstate()
1947
1948
# D-Bus methods, signals & properties
1949
1950
# Interfaces
1951
1952
# Signals
1953
1552
1553
## D-Bus methods, signals & properties
1554
1555
## Interfaces
1556
1557
## Signals
1558
1954
1559
# CheckerCompleted - signal
1955
1560
@dbus.service.signal(_interface, signature="nxs")
1956
1561
def CheckerCompleted(self, exitcode, waitstatus, command):
1957
1562
"D-Bus signal"
1958
1563
pass
1959
1564
1960
1565
# CheckerStarted - signal
1961
1566
@dbus.service.signal(_interface, signature="s")
1962
1567
def CheckerStarted(self, command):
1963
1568
"D-Bus signal"
1964
1569
pass
1965
1570
1966
1571
# PropertyChanged - signal
1967
1572
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1968
1573
@dbus.service.signal(_interface, signature="sv")
1969
1574
def PropertyChanged(self, property, value):
1970
1575
"D-Bus signal"
1971
1576
pass
1972
1577
1973
1578
# GotSecret - signal
1974
1579
@dbus.service.signal(_interface)
1975
1580
def GotSecret(self):
1978
1583
server to mandos-client
1979
1584
"""
1980
1585
pass
1981
1586
1982
1587
# Rejected - signal
1983
1588
@dbus.service.signal(_interface, signature="s")
1984
1589
def Rejected(self, reason):
1985
1590
"D-Bus signal"
1986
1591
pass
1987
1592
1988
1593
# NeedApproval - signal
1989
1594
@dbus.service.signal(_interface, signature="tb")
1990
1595
def NeedApproval(self, timeout, default):
1991
1596
"D-Bus signal"
1992
1597
return self.need_approval()
1993
1994
# Methods
1995
1598
1599
## Methods
1600
1996
1601
# Approve - method
1997
1602
@dbus.service.method(_interface, in_signature="b")
1998
1603
def Approve(self, value):
1999
1604
self.approve(value)
2000
1605
2001
1606
# CheckedOK - method
2002
1607
@dbus.service.method(_interface)
2003
1608
def CheckedOK(self):
2004
1609
self.checked_ok()
2005
1610
2006
1611
# Enable - method
2007
1612
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2008
1613
@dbus.service.method(_interface)
2009
1614
def Enable(self):
2010
1615
"D-Bus method"
2011
1616
self.enable()
2012
1617
2013
1618
# StartChecker - method
2014
1619
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2015
1620
@dbus.service.method(_interface)
2016
1621
def StartChecker(self):
2017
1622
"D-Bus method"
2018
1623
self.start_checker()
2019
1624
2020
1625
# Disable - method
2021
1626
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2022
1627
@dbus.service.method(_interface)
2023
1628
def Disable(self):
2024
1629
"D-Bus method"
2025
1630
self.disable()
2026
1631
2027
1632
# StopChecker - method
2028
1633
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2029
1634
@dbus.service.method(_interface)
2030
1635
def StopChecker(self):
2031
1636
self.stop_checker()
2032
2033
# Properties
2034
1637
1638
## Properties
1639
2035
1640
# ApprovalPending - property
2036
1641
@dbus_service_property(_interface, signature="b", access="read")
2037
1642
def ApprovalPending_dbus_property(self):
2038
1643
return dbus.Boolean(bool(self.approvals_pending))
2039
1644
2040
1645
# ApprovedByDefault - property
2041
1646
@dbus_service_property(_interface,
2042
1647
signature="b",
2045
1650
if value is None: # get
2046
1651
return dbus.Boolean(self.approved_by_default)
2047
1652
self.approved_by_default = bool(value)
2048
1653
2049
1654
# ApprovalDelay - property
2050
1655
@dbus_service_property(_interface,
2051
1656
signature="t",
2055
1660
return dbus.UInt64(self.approval_delay.total_seconds()
2056
1661
* 1000)
2057
1662
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2058
1663
2059
1664
# ApprovalDuration - property
2060
1665
@dbus_service_property(_interface,
2061
1666
signature="t",
2065
1670
return dbus.UInt64(self.approval_duration.total_seconds()
2066
1671
* 1000)
2067
1672
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2068
1673
2069
1674
# Name - property
2070
1675
@dbus_annotations(
2071
1676
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2072
1677
@dbus_service_property(_interface, signature="s", access="read")
2073
1678
def Name_dbus_property(self):
2074
1679
return dbus.String(self.name)
2075
2076
# KeyID - property
2077
@dbus_annotations(
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2079
@dbus_service_property(_interface, signature="s", access="read")
2080
def KeyID_dbus_property(self):
2081
return dbus.String(self.key_id)
2082
1680
2083
1681
# Fingerprint - property
2084
1682
@dbus_annotations(
2085
1683
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2086
1684
@dbus_service_property(_interface, signature="s", access="read")
2087
1685
def Fingerprint_dbus_property(self):
2088
1686
return dbus.String(self.fingerprint)
2089
1687
2090
1688
# Host - property
2091
1689
@dbus_service_property(_interface,
2092
1690
signature="s",
2095
1693
if value is None: # get
2096
1694
return dbus.String(self.host)
2097
1695
self.host = str(value)
2098
1696
2099
1697
# Created - property
2100
1698
@dbus_annotations(
2101
1699
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2102
1700
@dbus_service_property(_interface, signature="s", access="read")
2103
1701
def Created_dbus_property(self):
2104
1702
return datetime_to_dbus(self.created)
2105
1703
2106
1704
# LastEnabled - property
2107
1705
@dbus_service_property(_interface, signature="s", access="read")
2108
1706
def LastEnabled_dbus_property(self):
2109
1707
return datetime_to_dbus(self.last_enabled)
2110
1708
2111
1709
# Enabled - property
2112
1710
@dbus_service_property(_interface,
2113
1711
signature="b",
2119
1717
self.enable()
2120
1718
else:
2121
1719
self.disable()
2122
1720
2123
1721
# LastCheckedOK - property
2124
1722
@dbus_service_property(_interface,
2125
1723
signature="s",
2129
1727
self.checked_ok()
2130
1728
return
2131
1729
return datetime_to_dbus(self.last_checked_ok)
2132
1730
2133
1731
# LastCheckerStatus - property
2134
1732
@dbus_service_property(_interface, signature="n", access="read")
2135
1733
def LastCheckerStatus_dbus_property(self):
2136
1734
return dbus.Int16(self.last_checker_status)
2137
1735
2138
1736
# Expires - property
2139
1737
@dbus_service_property(_interface, signature="s", access="read")
2140
1738
def Expires_dbus_property(self):
2141
1739
return datetime_to_dbus(self.expires)
2142
1740
2143
1741
# LastApprovalRequest - property
2144
1742
@dbus_service_property(_interface, signature="s", access="read")
2145
1743
def LastApprovalRequest_dbus_property(self):
2146
1744
return datetime_to_dbus(self.last_approval_request)
2147
1745
2148
1746
# Timeout - property
2149
1747
@dbus_service_property(_interface,
2150
1748
signature="t",
2165
1763
if (getattr(self, "disable_initiator_tag", None)
2166
1764
is None):
2167
1765
return
2168
GLib.source_remove(self.disable_initiator_tag)
2169
self.disable_initiator_tag = GLib.timeout_add(
1766
gobject.source_remove(self.disable_initiator_tag)
1767
self.disable_initiator_tag = gobject.timeout_add(
2170
1768
int((self.expires - now).total_seconds() * 1000),
2171
1769
self.disable)
2172
1770
2173
1771
# ExtendedTimeout - property
2174
1772
@dbus_service_property(_interface,
2175
1773
signature="t",
2179
1777
return dbus.UInt64(self.extended_timeout.total_seconds()
2180
1778
* 1000)
2181
1779
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2182
1780
2183
1781
# Interval - property
2184
1782
@dbus_service_property(_interface,
2185
1783
signature="t",
2192
1790
return
2193
1791
if self.enabled:
2194
1792
# Reschedule checker run
2195
GLib.source_remove(self.checker_initiator_tag)
2196
self.checker_initiator_tag = GLib.timeout_add(
1793
gobject.source_remove(self.checker_initiator_tag)
1794
self.checker_initiator_tag = gobject.timeout_add(
2197
1795
value, self.start_checker)
2198
self.start_checker() # Start one now, too
2199
1796
self.start_checker() # Start one now, too
1797
2200
1798
# Checker - property
2201
1799
@dbus_service_property(_interface,
2202
1800
signature="s",
2205
1803
if value is None: # get
2206
1804
return dbus.String(self.checker_command)
2207
1805
self.checker_command = str(value)
2208
1806
2209
1807
# CheckerRunning - property
2210
1808
@dbus_service_property(_interface,
2211
1809
signature="b",
2217
1815
self.start_checker()
2218
1816
else:
2219
1817
self.stop_checker()
2220
1818
2221
1819
# ObjectPath - property
2222
1820
@dbus_annotations(
2223
1821
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2224
1822
"org.freedesktop.DBus.Deprecated": "true"})
2225
1823
@dbus_service_property(_interface, signature="o", access="read")
2226
1824
def ObjectPath_dbus_property(self):
2227
return self.dbus_object_path # is already a dbus.ObjectPath
2228
1825
return self.dbus_object_path # is already a dbus.ObjectPath
1826
2229
1827
# Secret = property
2230
1828
@dbus_annotations(
2231
1829
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2236
1834
byte_arrays=True)
2237
1835
def Secret_dbus_property(self, value):
2238
1836
self.secret = bytes(value)
2239
1837
2240
1838
del _interface
2241
1839
2242
1840
2243
class ProxyClient:
2244
def __init__(self, child_pipe, key_id, fpr, address):
1841
class ProxyClient(object):
1842
def __init__(self, child_pipe, fpr, address):
2245
1843
self._pipe = child_pipe
2246
self._pipe.send(('init', key_id, fpr, address))
1844
self._pipe.send(('init', fpr, address))
2247
1845
if not self._pipe.recv():
2248
raise KeyError(key_id or fpr)
2249
1846
raise KeyError(fpr)
1847
2250
1848
def __getattribute__(self, name):
2251
1849
if name == '_pipe':
2252
1850
return super(ProxyClient, self).__getattribute__(name)
2255
1853
if data[0] == 'data':
2256
1854
return data[1]
2257
1855
if data[0] == 'function':
2258
1856
2259
1857
def func(*args, **kwargs):
2260
1858
self._pipe.send(('funcall', name, args, kwargs))
2261
1859
return self._pipe.recv()[1]
2262
1860
2263
1861
return func
2264
1862
2265
1863
def __setattr__(self, name, value):
2266
1864
if name == '_pipe':
2267
1865
return super(ProxyClient, self).__setattr__(name, value)
2270
1868
2271
1869
class ClientHandler(socketserver.BaseRequestHandler, object):
2272
1870
"""A class to handle client connections.
2273
1871
2274
1872
Instantiated once for each connection to handle it.
2275
1873
Note: This will run in its own forked process."""
2276
1874
2277
1875
def handle(self):
2278
1876
with contextlib.closing(self.server.child_pipe) as child_pipe:
2279
1877
logger.info("TCP connection from: %s",
2280
1878
str(self.client_address))
2281
1879
logger.debug("Pipe FD: %d",
2282
1880
self.server.child_pipe.fileno())
2283
2284
session = gnutls.ClientSession(self.request)
2285
2286
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2287
# "+AES-256-CBC", "+SHA1",
2288
# "+COMP-NULL", "+CTYPE-OPENPGP",
2289
# "+DHE-DSS"))
1881
1882
session = gnutls.connection.ClientSession(
1883
self.request, gnutls.connection.X509Credentials())
1884
1885
# Note: gnutls.connection.X509Credentials is really a
1886
# generic GnuTLS certificate credentials object so long as
1887
# no X.509 keys are added to it. Therefore, we can use it
1888
# here despite using OpenPGP certificates.
1889
1890
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1891
# "+AES-256-CBC", "+SHA1",
1892
# "+COMP-NULL", "+CTYPE-OPENPGP",
1893
# "+DHE-DSS"))
2290
1894
# Use a fallback default, since this MUST be set.
2291
1895
priority = self.server.gnutls_priority
2292
1896
if priority is None:
2293
1897
priority = "NORMAL"
2294
gnutls.priority_set_direct(session._c_object,
2295
priority.encode("utf-8"),
2296
None)
2297
1898
gnutls.library.functions.gnutls_priority_set_direct(
1899
session._c_object, priority, None)
1900
2298
1901
# Start communication using the Mandos protocol
2299
1902
# Get protocol number
2300
1903
line = self.request.makefile().readline()
2305
1908
except (ValueError, IndexError, RuntimeError) as error:
2306
1909
logger.error("Unknown protocol version: %s", error)
2307
1910
return
2308
1911
2309
1912
# Start GnuTLS connection
2310
1913
try:
2311
1914
session.handshake()
2312
except gnutls.Error as error:
1915
except gnutls.errors.GNUTLSError as error:
2313
1916
logger.warning("Handshake failed: %s", error)
2314
1917
# Do not run session.bye() here: the session is not
2315
1918
# established. Just abandon the request.
2316
1919
return
2317
1920
logger.debug("Handshake succeeded")
2318
1921
2319
1922
approval_required = False
2320
1923
try:
2321
if gnutls.has_rawpk:
2322
fpr = b""
2323
try:
2324
key_id = self.key_id(
2325
self.peer_certificate(session))
2326
except (TypeError, gnutls.Error) as error:
2327
logger.warning("Bad certificate: %s", error)
2328
return
2329
logger.debug("Key ID: %s", key_id)
2330
2331
else:
2332
key_id = b""
2333
try:
2334
fpr = self.fingerprint(
2335
self.peer_certificate(session))
2336
except (TypeError, gnutls.Error) as error:
2337
logger.warning("Bad certificate: %s", error)
2338
return
2339
logger.debug("Fingerprint: %s", fpr)
2340
2341
try:
2342
client = ProxyClient(child_pipe, key_id, fpr,
1924
try:
1925
fpr = self.fingerprint(
1926
self.peer_certificate(session))
1927
except (TypeError,
1928
gnutls.errors.GNUTLSError) as error:
1929
logger.warning("Bad certificate: %s", error)
1930
return
1931
logger.debug("Fingerprint: %s", fpr)
1932
1933
try:
1934
client = ProxyClient(child_pipe, fpr,
2343
1935
self.client_address)
2344
1936
except KeyError:
2345
1937
return
2346
1938
2347
1939
if client.approval_delay:
2348
1940
delay = client.approval_delay
2349
1941
client.approvals_pending += 1
2350
1942
approval_required = True
2351
1943
2352
1944
while True:
2353
1945
if not client.enabled:
2354
1946
logger.info("Client %s is disabled",
2357
1949
# Emit D-Bus signal
2358
1950
client.Rejected("Disabled")
2359
1951
return
2360
1952
2361
1953
if client.approved or not client.approval_delay:
2362
# We are approved or approval is disabled
1954
#We are approved or approval is disabled
2363
1955
break
2364
1956
elif client.approved is None:
2365
1957
logger.info("Client %s needs approval",
2376
1968
# Emit D-Bus signal
2377
1969
client.Rejected("Denied")
2378
1970
return
2379
2380
# wait until timeout or approved
1971
1972
#wait until timeout or approved
2381
1973
time = datetime.datetime.now()
2382
1974
client.changedstate.acquire()
2383
1975
client.changedstate.wait(delay.total_seconds())
2396
1988
break
2397
1989
else:
2398
1990
delay -= time2 - time
2399
2400
try:
2401
session.send(client.secret)
2402
except gnutls.Error as error:
2403
logger.warning("gnutls send failed",
2404
exc_info=error)
2405
return
2406
1991
1992
sent_size = 0
1993
while sent_size < len(client.secret):
1994
try:
1995
sent = session.send(client.secret[sent_size:])
1996
except gnutls.errors.GNUTLSError as error:
1997
logger.warning("gnutls send failed",
1998
exc_info=error)
1999
return
2000
logger.debug("Sent: %d, remaining: %d", sent,
2001
len(client.secret) - (sent_size
2002
+ sent))
2003
sent_size += sent
2004
2407
2005
logger.info("Sending secret to %s", client.name)
2408
2006
# bump the timeout using extended_timeout
2409
2007
client.bump_timeout(client.extended_timeout)
2410
2008
if self.server.use_dbus:
2411
2009
# Emit D-Bus signal
2412
2010
client.GotSecret()
2413
2011
2414
2012
finally:
2415
2013
if approval_required:
2416
2014
client.approvals_pending -= 1
2417
2015
try:
2418
2016
session.bye()
2419
except gnutls.Error as error:
2017
except gnutls.errors.GNUTLSError as error:
2420
2018
logger.warning("GnuTLS bye failed",
2421
2019
exc_info=error)
2422
2020
2423
2021
@staticmethod
2424
2022
def peer_certificate(session):
2425
"Return the peer's certificate as a bytestring"
2426
try:
2427
cert_type = gnutls.certificate_type_get2(session._c_object,
2428
gnutls.CTYPE_PEERS)
2429
except AttributeError:
2430
cert_type = gnutls.certificate_type_get(session._c_object)
2431
if gnutls.has_rawpk:
2432
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2433
else:
2434
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2435
# If not a valid certificate type...
2436
if cert_type not in valid_cert_types:
2437
logger.info("Cert type %r not in %r", cert_type,
2438
valid_cert_types)
2439
# ...return invalid data
2440
return b""
2023
"Return the peer's OpenPGP certificate as a bytestring"
2024
# If not an OpenPGP certificate...
2025
if (gnutls.library.functions.gnutls_certificate_type_get(
2026
session._c_object)
2027
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2028
# ...do the normal thing
2029
return session.peer_certificate
2441
2030
list_size = ctypes.c_uint(1)
2442
cert_list = (gnutls.certificate_get_peers
2031
cert_list = (gnutls.library.functions
2032
.gnutls_certificate_get_peers
2443
2033
(session._c_object, ctypes.byref(list_size)))
2444
2034
if not bool(cert_list) and list_size.value != 0:
2445
raise gnutls.Error("error getting peer certificate")
2035
raise gnutls.errors.GNUTLSError("error getting peer"
2036
" certificate")
2446
2037
if list_size.value == 0:
2447
2038
return None
2448
2039
cert = cert_list[0]
2449
2040
return ctypes.string_at(cert.data, cert.size)
2450
2451
@staticmethod
2452
def key_id(certificate):
2453
"Convert a certificate bytestring to a hexdigit key ID"
2454
# New GnuTLS "datum" with the public key
2455
datum = gnutls.datum_t(
2456
ctypes.cast(ctypes.c_char_p(certificate),
2457
ctypes.POINTER(ctypes.c_ubyte)),
2458
ctypes.c_uint(len(certificate)))
2459
# XXX all these need to be created in the gnutls "module"
2460
# New empty GnuTLS certificate
2461
pubkey = gnutls.pubkey_t()
2462
gnutls.pubkey_init(ctypes.byref(pubkey))
2463
# Import the raw public key into the certificate
2464
gnutls.pubkey_import(pubkey,
2465
ctypes.byref(datum),
2466
gnutls.X509_FMT_DER)
2467
# New buffer for the key ID
2468
buf = ctypes.create_string_buffer(32)
2469
buf_len = ctypes.c_size_t(len(buf))
2470
# Get the key ID from the raw public key into the buffer
2471
gnutls.pubkey_get_key_id(pubkey,
2472
gnutls.KEYID_USE_SHA256,
2473
ctypes.cast(ctypes.byref(buf),
2474
ctypes.POINTER(ctypes.c_ubyte)),
2475
ctypes.byref(buf_len))
2476
# Deinit the certificate
2477
gnutls.pubkey_deinit(pubkey)
2478
2479
# Convert the buffer to a Python bytestring
2480
key_id = ctypes.string_at(buf, buf_len.value)
2481
# Convert the bytestring to hexadecimal notation
2482
hex_key_id = binascii.hexlify(key_id).upper()
2483
return hex_key_id
2484
2041
2485
2042
@staticmethod
2486
2043
def fingerprint(openpgp):
2487
2044
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2488
2045
# New GnuTLS "datum" with the OpenPGP public key
2489
datum = gnutls.datum_t(
2046
datum = gnutls.library.types.gnutls_datum_t(
2490
2047
ctypes.cast(ctypes.c_char_p(openpgp),
2491
2048
ctypes.POINTER(ctypes.c_ubyte)),
2492
2049
ctypes.c_uint(len(openpgp)))
2493
2050
# New empty GnuTLS certificate
2494
crt = gnutls.openpgp_crt_t()
2495
gnutls.openpgp_crt_init(ctypes.byref(crt))
2051
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2052
gnutls.library.functions.gnutls_openpgp_crt_init(
2053
ctypes.byref(crt))
2496
2054
# Import the OpenPGP public key into the certificate
2497
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2498
gnutls.OPENPGP_FMT_RAW)
2055
gnutls.library.functions.gnutls_openpgp_crt_import(
2056
crt, ctypes.byref(datum),
2057
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2499
2058
# Verify the self signature in the key
2500
2059
crtverify = ctypes.c_uint()
2501
gnutls.openpgp_crt_verify_self(crt, 0,
2502
ctypes.byref(crtverify))
2060
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2061
crt, 0, ctypes.byref(crtverify))
2503
2062
if crtverify.value != 0:
2504
gnutls.openpgp_crt_deinit(crt)
2505
raise gnutls.CertificateSecurityError(code
2506
=crtverify.value)
2063
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2064
raise gnutls.errors.CertificateSecurityError(
2065
"Verify failed")
2507
2066
# New buffer for the fingerprint
2508
2067
buf = ctypes.create_string_buffer(20)
2509
2068
buf_len = ctypes.c_size_t()
2510
2069
# Get the fingerprint from the certificate into the buffer
2511
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2512
ctypes.byref(buf_len))
2070
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2071
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2513
2072
# Deinit the certificate
2514
gnutls.openpgp_crt_deinit(crt)
2073
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2515
2074
# Convert the buffer to a Python bytestring
2516
2075
fpr = ctypes.string_at(buf, buf_len.value)
2517
2076
# Convert the bytestring to hexadecimal notation
2519
2078
return hex_fpr
2520
2079
2521
2080
2522
class MultiprocessingMixIn:
2081
class MultiprocessingMixIn(object):
2523
2082
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2524
2083
2525
2084
def sub_process_main(self, request, address):
2526
2085
try:
2527
2086
self.finish_request(request, address)
2528
2087
except Exception:
2529
2088
self.handle_error(request, address)
2530
2089
self.close_request(request)
2531
2090
2532
2091
def process_request(self, request, address):
2533
2092
"""Start a new process to process the request."""
2534
proc = multiprocessing.Process(target=self.sub_process_main,
2535
args=(request, address))
2093
proc = multiprocessing.Process(target = self.sub_process_main,
2094
args = (request, address))
2536
2095
proc.start()
2537
2096
return proc
2538
2097
2539
2098
2540
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2099
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2541
2100
""" adds a pipe to the MixIn """
2542
2101
2543
2102
def process_request(self, request, client_address):
2544
2103
"""Overrides and wraps the original process_request().
2545
2104
2546
2105
This function creates a new pipe in self.pipe
2547
2106
"""
2548
2107
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2549
2108
2550
2109
proc = MultiprocessingMixIn.process_request(self, request,
2551
2110
client_address)
2552
2111
self.child_pipe.close()
2553
2112
self.add_pipe(parent_pipe, proc)
2554
2113
2555
2114
def add_pipe(self, parent_pipe, proc):
2556
2115
"""Dummy function; override as necessary"""
2557
2116
raise NotImplementedError()
2558
2117
2559
2118
2560
2119
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2561
socketserver.TCPServer):
2120
socketserver.TCPServer, object):
2562
2121
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2563
2122
2564
2123
Attributes:
2565
2124
enabled: Boolean; whether this server is activated yet
2566
2125
interface: None or a network interface name (string)
2567
2126
use_ipv6: Boolean; to use IPv6 or not
2568
2127
"""
2569
2128
2570
2129
def __init__(self, server_address, RequestHandlerClass,
2571
2130
interface=None,
2572
2131
use_ipv6=True,
2582
2141
self.socketfd = socketfd
2583
2142
# Save the original socket.socket() function
2584
2143
self.socket_socket = socket.socket
2585
2586
2144
# To implement --socket, we monkey patch socket.socket.
2587
#
2145
#
2588
2146
# (When socketserver.TCPServer is a new-style class, we
2589
2147
# could make self.socket into a property instead of monkey
2590
2148
# patching socket.socket.)
2591
#
2149
#
2592
2150
# Create a one-time-only replacement for socket.socket()
2593
2151
@functools.wraps(socket.socket)
2594
2152
def socket_wrapper(*args, **kwargs):
2606
2164
# socket_wrapper(), if socketfd was set.
2607
2165
socketserver.TCPServer.__init__(self, server_address,
2608
2166
RequestHandlerClass)
2609
2167
2610
2168
def server_bind(self):
2611
2169
"""This overrides the normal server_bind() function
2612
2170
to bind to an interface if one was specified, and also NOT to
2613
2171
bind to an address or port if they were not specified."""
2614
global SO_BINDTODEVICE
2615
2172
if self.interface is not None:
2616
2173
if SO_BINDTODEVICE is None:
2617
# Fall back to a hard-coded value which seems to be
2618
# common enough.
2619
logger.warning("SO_BINDTODEVICE not found, trying 25")
2620
SO_BINDTODEVICE = 25
2621
try:
2622
self.socket.setsockopt(
2623
socket.SOL_SOCKET, SO_BINDTODEVICE,
2624
(self.interface + "\0").encode("utf-8"))
2625
except socket.error as error:
2626
if error.errno == errno.EPERM:
2627
logger.error("No permission to bind to"
2628
" interface %s", self.interface)
2629
elif error.errno == errno.ENOPROTOOPT:
2630
logger.error("SO_BINDTODEVICE not available;"
2631
" cannot bind to interface %s",
2632
self.interface)
2633
elif error.errno == errno.ENODEV:
2634
logger.error("Interface %s does not exist,"
2635
" cannot bind", self.interface)
2636
else:
2637
raise
2174
logger.error("SO_BINDTODEVICE does not exist;"
2175
" cannot bind to interface %s",
2176
self.interface)
2177
else:
2178
try:
2179
self.socket.setsockopt(
2180
socket.SOL_SOCKET, SO_BINDTODEVICE,
2181
(self.interface + "\0").encode("utf-8"))
2182
except socket.error as error:
2183
if error.errno == errno.EPERM:
2184
logger.error("No permission to bind to"
2185
" interface %s", self.interface)
2186
elif error.errno == errno.ENOPROTOOPT:
2187
logger.error("SO_BINDTODEVICE not available;"
2188
" cannot bind to interface %s",
2189
self.interface)
2190
elif error.errno == errno.ENODEV:
2191
logger.error("Interface %s does not exist,"
2192
" cannot bind", self.interface)
2193
else:
2194
raise
2638
2195
# Only bind(2) the socket if we really need to.
2639
2196
if self.server_address[0] or self.server_address[1]:
2640
if self.server_address[1]:
2641
self.allow_reuse_address = True
2642
2197
if not self.server_address[0]:
2643
2198
if self.address_family == socket.AF_INET6:
2644
any_address = "::" # in6addr_any
2199
any_address = "::" # in6addr_any
2645
2200
else:
2646
any_address = "0.0.0.0" # INADDR_ANY
2201
any_address = "0.0.0.0" # INADDR_ANY
2647
2202
self.server_address = (any_address,
2648
2203
self.server_address[1])
2649
2204
elif not self.server_address[1]:
2659
2214
2660
2215
class MandosServer(IPv6_TCPServer):
2661
2216
"""Mandos server.
2662
2217
2663
2218
Attributes:
2664
2219
clients: set of Client objects
2665
2220
gnutls_priority GnuTLS priority string
2666
2221
use_dbus: Boolean; to emit D-Bus signals or not
2667
2668
Assumes a GLib.MainLoop event loop.
2222
2223
Assumes a gobject.MainLoop event loop.
2669
2224
"""
2670
2225
2671
2226
def __init__(self, server_address, RequestHandlerClass,
2672
2227
interface=None,
2673
2228
use_ipv6=True,
2683
2238
self.gnutls_priority = gnutls_priority
2684
2239
IPv6_TCPServer.__init__(self, server_address,
2685
2240
RequestHandlerClass,
2686
interface=interface,
2687
use_ipv6=use_ipv6,
2688
socketfd=socketfd)
2689
2241
interface = interface,
2242
use_ipv6 = use_ipv6,
2243
socketfd = socketfd)
2244
2690
2245
def server_activate(self):
2691
2246
if self.enabled:
2692
2247
return socketserver.TCPServer.server_activate(self)
2693
2248
2694
2249
def enable(self):
2695
2250
self.enabled = True
2696
2251
2697
2252
def add_pipe(self, parent_pipe, proc):
2698
2253
# Call "handle_ipc" for both data and EOF events
2699
GLib.io_add_watch(
2700
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2701
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2254
gobject.io_add_watch(
2255
parent_pipe.fileno(),
2256
gobject.IO_IN | gobject.IO_HUP,
2702
2257
functools.partial(self.handle_ipc,
2703
parent_pipe=parent_pipe,
2704
proc=proc))
2705
2258
parent_pipe = parent_pipe,
2259
proc = proc))
2260
2706
2261
def handle_ipc(self, source, condition,
2707
2262
parent_pipe=None,
2708
proc=None,
2263
proc = None,
2709
2264
client_object=None):
2710
2265
# error, or the other end of multiprocessing.Pipe has closed
2711
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2266
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2712
2267
# Wait for other process to exit
2713
2268
proc.join()
2714
2269
return False
2715
2270
2716
2271
# Read a request from the child
2717
2272
request = parent_pipe.recv()
2718
2273
command = request[0]
2719
2274
2720
2275
if command == 'init':
2721
key_id = request[1].decode("ascii")
2722
fpr = request[2].decode("ascii")
2723
address = request[3]
2724
2725
for c in self.clients.values():
2726
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2727
continue
2728
if key_id and c.key_id == key_id:
2729
client = c
2730
break
2731
if fpr and c.fingerprint == fpr:
2276
fpr = request[1]
2277
address = request[2]
2278
2279
for c in self.clients.itervalues():
2280
if c.fingerprint == fpr:
2732
2281
client = c
2733
2282
break
2734
2283
else:
2735
logger.info("Client not found for key ID: %s, address"
2736
": %s", key_id or fpr, address)
2284
logger.info("Client not found for fingerprint: %s, ad"
2285
"dress: %s", fpr, address)
2737
2286
if self.use_dbus:
2738
2287
# Emit D-Bus signal
2739
mandos_dbus_service.ClientNotFound(key_id or fpr,
2288
mandos_dbus_service.ClientNotFound(fpr,
2740
2289
address[0])
2741
2290
parent_pipe.send(False)
2742
2291
return False
2743
2744
GLib.io_add_watch(
2745
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2746
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2292
2293
gobject.io_add_watch(
2294
parent_pipe.fileno(),
2295
gobject.IO_IN | gobject.IO_HUP,
2747
2296
functools.partial(self.handle_ipc,
2748
parent_pipe=parent_pipe,
2749
proc=proc,
2750
client_object=client))
2297
parent_pipe = parent_pipe,
2298
proc = proc,
2299
client_object = client))
2751
2300
parent_pipe.send(True)
2752
2301
# remove the old hook in favor of the new above hook on
2753
2302
# same fileno
2756
2305
funcname = request[1]
2757
2306
args = request[2]
2758
2307
kwargs = request[3]
2759
2308
2760
2309
parent_pipe.send(('data', getattr(client_object,
2761
2310
funcname)(*args,
2762
2311
**kwargs)))
2763
2312
2764
2313
if command == 'getattr':
2765
2314
attrname = request[1]
2766
2315
if isinstance(client_object.__getattribute__(attrname),
2767
collections.abc.Callable):
2316
collections.Callable):
2768
2317
parent_pipe.send(('function', ))
2769
2318
else:
2770
2319
parent_pipe.send((
2771
2320
'data', client_object.__getattribute__(attrname)))
2772
2321
2773
2322
if command == 'setattr':
2774
2323
attrname = request[1]
2775
2324
value = request[2]
2776
2325
setattr(client_object, attrname, value)
2777
2326
2778
2327
return True
2779
2328
2780
2329
2781
2330
def rfc3339_duration_to_delta(duration):
2782
2331
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2783
2784
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2785
True
2786
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2787
True
2788
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2789
True
2790
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2791
True
2792
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2793
True
2794
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2795
True
2796
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2797
True
2332
2333
>>> rfc3339_duration_to_delta("P7D")
2334
datetime.timedelta(7)
2335
>>> rfc3339_duration_to_delta("PT60S")
2336
datetime.timedelta(0, 60)
2337
>>> rfc3339_duration_to_delta("PT60M")
2338
datetime.timedelta(0, 3600)
2339
>>> rfc3339_duration_to_delta("PT24H")
2340
datetime.timedelta(1)
2341
>>> rfc3339_duration_to_delta("P1W")
2342
datetime.timedelta(7)
2343
>>> rfc3339_duration_to_delta("PT5M30S")
2344
datetime.timedelta(0, 330)
2345
>>> rfc3339_duration_to_delta("P1DT3M20S")
2346
datetime.timedelta(1, 200)
2798
2347
"""
2799
2348
2800
2349
# Parsing an RFC 3339 duration with regular expressions is not
2801
2350
# possible - there would have to be multiple places for the same
2802
2351
# values, like seconds. The current code, while more esoteric, is
2803
2352
# cleaner without depending on a parsing library. If Python had a
2804
2353
# built-in library for parsing we would use it, but we'd like to
2805
2354
# avoid excessive use of external libraries.
2806
2355
2807
2356
# New type for defining tokens, syntax, and semantics all-in-one
2808
2357
Token = collections.namedtuple("Token", (
2809
2358
"regexp", # To match token; if "value" is not None, must have
2842
2391
frozenset((token_year, token_month,
2843
2392
token_day, token_time,
2844
2393
token_week)))
2845
# Define starting values:
2846
# Value so far
2847
value = datetime.timedelta()
2394
# Define starting values
2395
value = datetime.timedelta() # Value so far
2848
2396
found_token = None
2849
# Following valid tokens
2850
followers = frozenset((token_duration, ))
2851
# String left to parse
2852
s = duration
2397
followers = frozenset((token_duration, )) # Following valid tokens
2398
s = duration # String left to parse
2853
2399
# Loop until end token is found
2854
2400
while found_token is not token_end:
2855
2401
# Search for any currently valid tokens
2879
2425
2880
2426
def string_to_delta(interval):
2881
2427
"""Parse a string and return a datetime.timedelta
2882
2883
>>> string_to_delta('7d') == datetime.timedelta(7)
2884
True
2885
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2886
True
2887
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2888
True
2889
>>> string_to_delta('24h') == datetime.timedelta(1)
2890
True
2891
>>> string_to_delta('1w') == datetime.timedelta(7)
2892
True
2893
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2894
True
2428
2429
>>> string_to_delta('7d')
2430
datetime.timedelta(7)
2431
>>> string_to_delta('60s')
2432
datetime.timedelta(0, 60)
2433
>>> string_to_delta('60m')
2434
datetime.timedelta(0, 3600)
2435
>>> string_to_delta('24h')
2436
datetime.timedelta(1)
2437
>>> string_to_delta('1w')
2438
datetime.timedelta(7)
2439
>>> string_to_delta('5m 30s')
2440
datetime.timedelta(0, 330)
2895
2441
"""
2896
2442
2897
2443
try:
2898
2444
return rfc3339_duration_to_delta(interval)
2899
2445
except ValueError:
2900
2446
pass
2901
2447
2902
2448
timevalue = datetime.timedelta(0)
2903
2449
for s in interval.split():
2904
2450
try:
2922
2468
return timevalue
2923
2469
2924
2470
2925
def daemon(nochdir=False, noclose=False):
2471
def daemon(nochdir = False, noclose = False):
2926
2472
"""See daemon(3). Standard BSD Unix function.
2927
2473
2928
2474
This should really exist as os.daemon, but it doesn't (yet)."""
2929
2475
if os.fork():
2930
2476
sys.exit()
2948
2494
2949
2495
2950
2496
def main():
2951
2497
2952
2498
##################################################################
2953
2499
# Parsing of options, both command line and config file
2954
2500
2955
2501
parser = argparse.ArgumentParser()
2956
2502
parser.add_argument("-v", "--version", action="version",
2957
version="%(prog)s {}".format(version),
2503
version = "%(prog)s {}".format(version),
2958
2504
help="show version number and exit")
2959
2505
parser.add_argument("-i", "--interface", metavar="IF",
2960
2506
help="Bind to interface IF")
2996
2542
parser.add_argument("--no-zeroconf", action="store_false",
2997
2543
dest="zeroconf", help="Do not use Zeroconf",
2998
2544
default=None)
2999
2545
3000
2546
options = parser.parse_args()
3001
2547
2548
if options.check:
2549
import doctest
2550
fail_count, test_count = doctest.testmod()
2551
sys.exit(os.EX_OK if fail_count == 0 else 1)
2552
3002
2553
# Default values for config file for server-global settings
3003
if gnutls.has_rawpk:
3004
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3005
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3006
else:
3007
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3008
":+SIGN-DSA-SHA256")
3009
server_defaults = {"interface": "",
3010
"address": "",
3011
"port": "",
3012
"debug": "False",
3013
"priority": priority,
3014
"servicename": "Mandos",
3015
"use_dbus": "True",
3016
"use_ipv6": "True",
3017
"debuglevel": "",
3018
"restore": "True",
3019
"socket": "",
3020
"statedir": "/var/lib/mandos",
3021
"foreground": "False",
3022
"zeroconf": "True",
3023
}
3024
del priority
3025
2554
server_defaults = { "interface": "",
2555
"address": "",
2556
"port": "",
2557
"debug": "False",
2558
"priority":
2559
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2560
":+SIGN-DSA-SHA256",
2561
"servicename": "Mandos",
2562
"use_dbus": "True",
2563
"use_ipv6": "True",
2564
"debuglevel": "",
2565
"restore": "True",
2566
"socket": "",
2567
"statedir": "/var/lib/mandos",
2568
"foreground": "False",
2569
"zeroconf": "True",
2570
}
2571
3026
2572
# Parse config file for server-global settings
3027
server_config = configparser.ConfigParser(server_defaults)
2573
server_config = configparser.SafeConfigParser(server_defaults)
3028
2574
del server_defaults
3029
2575
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3030
# Convert the ConfigParser object to a dict
2576
# Convert the SafeConfigParser object to a dict
3031
2577
server_settings = server_config.defaults()
3032
2578
# Use the appropriate methods on the non-string config options
3033
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3034
"foreground", "zeroconf"):
2579
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3035
2580
server_settings[option] = server_config.getboolean("DEFAULT",
3036
2581
option)
3037
2582
if server_settings["port"]:
3047
2592
server_settings["socket"] = os.dup(server_settings
3048
2593
["socket"])
3049
2594
del server_config
3050
2595
3051
2596
# Override the settings from the config file with command line
3052
2597
# options, if set.
3053
2598
for option in ("interface", "address", "port", "debug",
3071
2616
if server_settings["debug"]:
3072
2617
server_settings["foreground"] = True
3073
2618
# Now we have our good server settings in "server_settings"
3074
2619
3075
2620
##################################################################
3076
2621
3077
2622
if (not server_settings["zeroconf"]
3078
2623
and not (server_settings["port"]
3079
2624
or server_settings["socket"] != "")):
3080
2625
parser.error("Needs port or socket to work without Zeroconf")
3081
2626
3082
2627
# For convenience
3083
2628
debug = server_settings["debug"]
3084
2629
debuglevel = server_settings["debuglevel"]
3088
2633
stored_state_file)
3089
2634
foreground = server_settings["foreground"]
3090
2635
zeroconf = server_settings["zeroconf"]
3091
2636
3092
2637
if debug:
3093
2638
initlogger(debug, logging.DEBUG)
3094
2639
else:
3097
2642
else:
3098
2643
level = getattr(logging, debuglevel.upper())
3099
2644
initlogger(debug, level)
3100
2645
3101
2646
if server_settings["servicename"] != "Mandos":
3102
2647
syslogger.setFormatter(
3103
2648
logging.Formatter('Mandos ({}) [%(process)d]:'
3104
2649
' %(levelname)s: %(message)s'.format(
3105
2650
server_settings["servicename"])))
3106
2651
3107
2652
# Parse config file with clients
3108
client_config = configparser.ConfigParser(Client.client_defaults)
2653
client_config = configparser.SafeConfigParser(Client
2654
.client_defaults)
3109
2655
client_config.read(os.path.join(server_settings["configdir"],
3110
2656
"clients.conf"))
3111
2657
3112
2658
global mandos_dbus_service
3113
2659
mandos_dbus_service = None
3114
2660
3115
2661
socketfd = None
3116
2662
if server_settings["socket"] != "":
3117
2663
socketfd = server_settings["socket"]
3133
2679
except IOError as e:
3134
2680
logger.error("Could not open file %r", pidfilename,
3135
2681
exc_info=e)
3136
3137
for name, group in (("_mandos", "_mandos"),
3138
("mandos", "mandos"),
3139
("nobody", "nogroup")):
2682
2683
for name in ("_mandos", "mandos", "nobody"):
3140
2684
try:
3141
2685
uid = pwd.getpwnam(name).pw_uid
3142
gid = pwd.getpwnam(group).pw_gid
2686
gid = pwd.getpwnam(name).pw_gid
3143
2687
break
3144
2688
except KeyError:
3145
2689
continue
3149
2693
try:
3150
2694
os.setgid(gid)
3151
2695
os.setuid(uid)
3152
if debug:
3153
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3154
gid))
3155
2696
except OSError as error:
3156
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3157
.format(uid, gid, os.strerror(error.errno)))
3158
2697
if error.errno != errno.EPERM:
3159
2698
raise
3160
2699
3161
2700
if debug:
3162
2701
# Enable all possible GnuTLS debugging
3163
2702
3164
2703
# "Use a log level over 10 to enable all debugging options."
3165
2704
# - GnuTLS manual
3166
gnutls.global_set_log_level(11)
3167
3168
@gnutls.log_func
2705
gnutls.library.functions.gnutls_global_set_log_level(11)
2706
2707
@gnutls.library.types.gnutls_log_func
3169
2708
def debug_gnutls(level, string):
3170
2709
logger.debug("GnuTLS: %s", string[:-1])
3171
3172
gnutls.global_set_log_function(debug_gnutls)
3173
2710
2711
gnutls.library.functions.gnutls_global_set_log_function(
2712
debug_gnutls)
2713
3174
2714
# Redirect stdin so all checkers get /dev/null
3175
2715
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3176
2716
os.dup2(null, sys.stdin.fileno())
3177
2717
if null > 2:
3178
2718
os.close(null)
3179
2719
3180
2720
# Need to fork before connecting to D-Bus
3181
2721
if not foreground:
3182
2722
# Close all input and output, do double fork, etc.
3183
2723
daemon()
3184
3185
if gi.version_info < (3, 10, 2):
3186
# multiprocessing will use threads, so before we use GLib we
3187
# need to inform GLib that threads will be used.
3188
GLib.threads_init()
3189
2724
2725
# multiprocessing will use threads, so before we use gobject we
2726
# need to inform gobject that threads will be used.
2727
gobject.threads_init()
2728
3190
2729
global main_loop
3191
2730
# From the Avahi example code
3192
2731
DBusGMainLoop(set_as_default=True)
3193
main_loop = GLib.MainLoop()
2732
main_loop = gobject.MainLoop()
3194
2733
bus = dbus.SystemBus()
3195
2734
# End of Avahi example code
3196
2735
if use_dbus:
3209
2748
if zeroconf:
3210
2749
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3211
2750
service = AvahiServiceToSyslog(
3212
name=server_settings["servicename"],
3213
servicetype="_mandos._tcp",
3214
protocol=protocol,
3215
bus=bus)
2751
name = server_settings["servicename"],
2752
servicetype = "_mandos._tcp",
2753
protocol = protocol,
2754
bus = bus)
3216
2755
if server_settings["interface"]:
3217
2756
service.interface = if_nametoindex(
3218
2757
server_settings["interface"].encode("utf-8"))
3219
2758
3220
2759
global multiprocessing_manager
3221
2760
multiprocessing_manager = multiprocessing.Manager()
3222
2761
3223
2762
client_class = Client
3224
2763
if use_dbus:
3225
client_class = functools.partial(ClientDBus, bus=bus)
3226
2764
client_class = functools.partial(ClientDBus, bus = bus)
2765
3227
2766
client_settings = Client.config_parser(client_config)
3228
2767
old_client_settings = {}
3229
2768
clients_data = {}
3230
2769
3231
2770
# This is used to redirect stdout and stderr for checker processes
3232
2771
global wnull
3233
wnull = open(os.devnull, "w") # A writable /dev/null
2772
wnull = open(os.devnull, "w") # A writable /dev/null
3234
2773
# Only used if server is running in foreground but not in debug
3235
2774
# mode
3236
2775
if debug or not foreground:
3237
2776
wnull.close()
3238
2777
3239
2778
# Get client data and settings from last running state.
3240
2779
if server_settings["restore"]:
3241
2780
try:
3242
2781
with open(stored_state_path, "rb") as stored_state:
3243
if sys.version_info.major == 2:
3244
clients_data, old_client_settings = pickle.load(
3245
stored_state)
3246
else:
3247
bytes_clients_data, bytes_old_client_settings = (
3248
pickle.load(stored_state, encoding="bytes"))
3249
# Fix bytes to strings
3250
# clients_data
3251
# .keys()
3252
clients_data = {(key.decode("utf-8")
3253
if isinstance(key, bytes)
3254
else key): value
3255
for key, value in
3256
bytes_clients_data.items()}
3257
del bytes_clients_data
3258
for key in clients_data:
3259
value = {(k.decode("utf-8")
3260
if isinstance(k, bytes) else k): v
3261
for k, v in
3262
clients_data[key].items()}
3263
clients_data[key] = value
3264
# .client_structure
3265
value["client_structure"] = [
3266
(s.decode("utf-8")
3267
if isinstance(s, bytes)
3268
else s) for s in
3269
value["client_structure"]]
3270
# .name, .host, and .checker_command
3271
for k in ("name", "host", "checker_command"):
3272
if isinstance(value[k], bytes):
3273
value[k] = value[k].decode("utf-8")
3274
if "key_id" not in value:
3275
value["key_id"] = ""
3276
elif "fingerprint" not in value:
3277
value["fingerprint"] = ""
3278
# old_client_settings
3279
# .keys()
3280
old_client_settings = {
3281
(key.decode("utf-8")
3282
if isinstance(key, bytes)
3283
else key): value
3284
for key, value in
3285
bytes_old_client_settings.items()}
3286
del bytes_old_client_settings
3287
# .host and .checker_command
3288
for value in old_client_settings.values():
3289
for attribute in ("host", "checker_command"):
3290
if isinstance(value[attribute], bytes):
3291
value[attribute] = (value[attribute]
3292
.decode("utf-8"))
2782
clients_data, old_client_settings = pickle.load(
2783
stored_state)
3293
2784
os.remove(stored_state_path)
3294
2785
except IOError as e:
3295
2786
if e.errno == errno.ENOENT:
3303
2794
logger.warning("Could not load persistent state: "
3304
2795
"EOFError:",
3305
2796
exc_info=e)
3306
2797
3307
2798
with PGPEngine() as pgp:
3308
2799
for client_name, client in clients_data.items():
3309
2800
# Skip removed clients
3310
2801
if client_name not in client_settings:
3311
2802
continue
3312
2803
3313
2804
# Decide which value to use after restoring saved state.
3314
2805
# We have three different values: Old config file,
3315
2806
# new config file, and saved state.
3326
2817
client[name] = value
3327
2818
except KeyError:
3328
2819
pass
3329
2820
3330
2821
# Clients who has passed its expire date can still be
3331
2822
# enabled if its last checker was successful. A Client
3332
2823
# whose checker succeeded before we stored its state is
3365
2856
client_name))
3366
2857
client["secret"] = (client_settings[client_name]
3367
2858
["secret"])
3368
2859
3369
2860
# Add/remove clients based on new changes made to config
3370
2861
for client_name in (set(old_client_settings)
3371
2862
- set(client_settings)):
3373
2864
for client_name in (set(client_settings)
3374
2865
- set(old_client_settings)):
3375
2866
clients_data[client_name] = client_settings[client_name]
3376
2867
3377
2868
# Create all client objects
3378
2869
for client_name, client in clients_data.items():
3379
2870
tcp_server.clients[client_name] = client_class(
3380
name=client_name,
3381
settings=client,
3382
server_settings=server_settings)
3383
2871
name = client_name,
2872
settings = client,
2873
server_settings = server_settings)
2874
3384
2875
if not tcp_server.clients:
3385
2876
logger.warning("No clients defined")
3386
2877
3387
2878
if not foreground:
3388
2879
if pidfile is not None:
3389
2880
pid = os.getpid()
3395
2886
pidfilename, pid)
3396
2887
del pidfile
3397
2888
del pidfilename
3398
3399
for termsig in (signal.SIGHUP, signal.SIGTERM):
3400
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3401
lambda: main_loop.quit() and False)
3402
2889
2890
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2891
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2892
3403
2893
if use_dbus:
3404
2894
3405
2895
@alternate_dbus_interfaces(
3406
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2896
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3407
2897
class MandosDBusService(DBusObjectWithObjectManager):
3408
2898
"""A D-Bus proxy object"""
3409
2899
3410
2900
def __init__(self):
3411
2901
dbus.service.Object.__init__(self, bus, "/")
3412
2902
3413
2903
_interface = "se.recompile.Mandos"
3414
2904
3415
2905
@dbus.service.signal(_interface, signature="o")
3416
2906
def ClientAdded(self, objpath):
3417
2907
"D-Bus signal"
3418
2908
pass
3419
2909
3420
2910
@dbus.service.signal(_interface, signature="ss")
3421
def ClientNotFound(self, key_id, address):
2911
def ClientNotFound(self, fingerprint, address):
3422
2912
"D-Bus signal"
3423
2913
pass
3424
2914
3425
2915
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3426
2916
"true"})
3427
2917
@dbus.service.signal(_interface, signature="os")
3428
2918
def ClientRemoved(self, objpath, name):
3429
2919
"D-Bus signal"
3430
2920
pass
3431
2921
3432
2922
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3433
2923
"true"})
3434
2924
@dbus.service.method(_interface, out_signature="ao")
3435
2925
def GetAllClients(self):
3436
2926
"D-Bus method"
3437
2927
return dbus.Array(c.dbus_object_path for c in
3438
tcp_server.clients.values())
3439
2928
tcp_server.clients.itervalues())
2929
3440
2930
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3441
2931
"true"})
3442
2932
@dbus.service.method(_interface,
3444
2934
def GetAllClientsWithProperties(self):
3445
2935
"D-Bus method"
3446
2936
return dbus.Dictionary(
3447
{c.dbus_object_path: c.GetAll(
2937
{ c.dbus_object_path: c.GetAll(
3448
2938
"se.recompile.Mandos.Client")
3449
for c in tcp_server.clients.values()},
2939
for c in tcp_server.clients.itervalues() },
3450
2940
signature="oa{sv}")
3451
2941
3452
2942
@dbus.service.method(_interface, in_signature="o")
3453
2943
def RemoveClient(self, object_path):
3454
2944
"D-Bus method"
3455
for c in tcp_server.clients.values():
2945
for c in tcp_server.clients.itervalues():
3456
2946
if c.dbus_object_path == object_path:
3457
2947
del tcp_server.clients[c.name]
3458
2948
c.remove_from_connection()
3462
2952
self.client_removed_signal(c)
3463
2953
return
3464
2954
raise KeyError(object_path)
3465
2955
3466
2956
del _interface
3467
2957
3468
2958
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3469
out_signature="a{oa{sa{sv}}}")
2959
out_signature = "a{oa{sa{sv}}}")
3470
2960
def GetManagedObjects(self):
3471
2961
"""D-Bus method"""
3472
2962
return dbus.Dictionary(
3473
{client.dbus_object_path:
3474
dbus.Dictionary(
3475
{interface: client.GetAll(interface)
3476
for interface in
3477
client._get_all_interface_names()})
3478
for client in tcp_server.clients.values()})
3479
2963
{ client.dbus_object_path:
2964
dbus.Dictionary(
2965
{ interface: client.GetAll(interface)
2966
for interface in
2967
client._get_all_interface_names()})
2968
for client in tcp_server.clients.values()})
2969
3480
2970
def client_added_signal(self, client):
3481
2971
"""Send the new standard signal and the old signal"""
3482
2972
if use_dbus:
3484
2974
self.InterfacesAdded(
3485
2975
client.dbus_object_path,
3486
2976
dbus.Dictionary(
3487
{interface: client.GetAll(interface)
3488
for interface in
3489
client._get_all_interface_names()}))
2977
{ interface: client.GetAll(interface)
2978
for interface in
2979
client._get_all_interface_names()}))
3490
2980
# Old signal
3491
2981
self.ClientAdded(client.dbus_object_path)
3492
2982
3493
2983
def client_removed_signal(self, client):
3494
2984
"""Send the new standard signal and the old signal"""
3495
2985
if use_dbus:
3500
2990
# Old signal
3501
2991
self.ClientRemoved(client.dbus_object_path,
3502
2992
client.name)
3503
2993
3504
2994
mandos_dbus_service = MandosDBusService()
3505
3506
# Save modules to variables to exempt the modules from being
3507
# unloaded before the function registered with atexit() is run.
3508
mp = multiprocessing
3509
wn = wnull
3510
2995
3511
2996
def cleanup():
3512
2997
"Cleanup function; run on exit"
3513
2998
if zeroconf:
3514
2999
service.cleanup()
3515
3516
mp.active_children()
3517
wn.close()
3000
3001
multiprocessing.active_children()
3002
wnull.close()
3518
3003
if not (tcp_server.clients or client_settings):
3519
3004
return
3520
3005
3521
3006
# Store client before exiting. Secrets are encrypted with key
3522
3007
# based on what config file has. If config file is
3523
3008
# removed/edited, old secret will thus be unrecovable.
3524
3009
clients = {}
3525
3010
with PGPEngine() as pgp:
3526
for client in tcp_server.clients.values():
3011
for client in tcp_server.clients.itervalues():
3527
3012
key = client_settings[client.name]["secret"]
3528
3013
client.encrypted_secret = pgp.encrypt(client.secret,
3529
3014
key)
3530
3015
client_dict = {}
3531
3016
3532
3017
# A list of attributes that can not be pickled
3533
3018
# + secret.
3534
exclude = {"bus", "changedstate", "secret",
3535
"checker", "server_settings"}
3019
exclude = { "bus", "changedstate", "secret",
3020
"checker", "server_settings" }
3536
3021
for name, typ in inspect.getmembers(dbus.service
3537
3022
.Object):
3538
3023
exclude.add(name)
3539
3024
3540
3025
client_dict["encrypted_secret"] = (client
3541
3026
.encrypted_secret)
3542
3027
for attr in client.client_structure:
3543
3028
if attr not in exclude:
3544
3029
client_dict[attr] = getattr(client, attr)
3545
3030
3546
3031
clients[client.name] = client_dict
3547
3032
del client_settings[client.name]["secret"]
3548
3033
3549
3034
try:
3550
3035
with tempfile.NamedTemporaryFile(
3551
3036
mode='wb',
3553
3038
prefix='clients-',
3554
3039
dir=os.path.dirname(stored_state_path),
3555
3040
delete=False) as stored_state:
3556
pickle.dump((clients, client_settings), stored_state,
3557
protocol=2)
3041
pickle.dump((clients, client_settings), stored_state)
3558
3042
tempname = stored_state.name
3559
3043
os.rename(tempname, stored_state_path)
3560
3044
except (IOError, OSError) as e:
3570
3054
logger.warning("Could not save persistent state:",
3571
3055
exc_info=e)
3572
3056
raise
3573
3057
3574
3058
# Delete all clients, and settings from config
3575
3059
while tcp_server.clients:
3576
3060
name, client = tcp_server.clients.popitem()
3582
3066
if use_dbus:
3583
3067
mandos_dbus_service.client_removed_signal(client)
3584
3068
client_settings.clear()
3585
3069
3586
3070
atexit.register(cleanup)
3587
3588
for client in tcp_server.clients.values():
3071
3072
for client in tcp_server.clients.itervalues():
3589
3073
if use_dbus:
3590
3074
# Emit D-Bus signal for adding
3591
3075
mandos_dbus_service.client_added_signal(client)
3592
3076
# Need to initiate checking of clients
3593
3077
if client.enabled:
3594
3078
client.init_checker()
3595
3079
3596
3080
tcp_server.enable()
3597
3081
tcp_server.server_activate()
3598
3082
3599
3083
# Find out what port we got
3600
3084
if zeroconf:
3601
3085
service.port = tcp_server.socket.getsockname()[1]
3606
3090
else: # IPv4
3607
3091
logger.info("Now listening on address %r, port %d",
3608
3092
*tcp_server.socket.getsockname())
3609
3610
# service.interface = tcp_server.socket.getsockname()[3]
3611
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3612
3096
try:
3613
3097
if zeroconf:
3614
3098
# From the Avahi example code
3619
3103
cleanup()
3620
3104
sys.exit(1)
3621
3105
# End of Avahi example code
3622
3623
GLib.io_add_watch(
3624
GLib.IOChannel.unix_new(tcp_server.fileno()),
3625
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3626
lambda *args, **kwargs: (tcp_server.handle_request
3627
(*args[2:], **kwargs) or True))
3628
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3629
3112
logger.debug("Starting main loop")
3630
3113
main_loop.run()
3631
3114
except AvahiError as error:
3640
3123
# Must run before the D-Bus bus name gets deregistered
3641
3124
cleanup()
3642
3125
3643
3644
def should_only_run_tests():
3645
parser = argparse.ArgumentParser(add_help=False)
3646
parser.add_argument("--check", action='store_true')
3647
args, unknown_args = parser.parse_known_args()
3648
run_tests = args.check
3649
if run_tests:
3650
# Remove --check argument from sys.argv
3651
sys.argv[1:] = unknown_args
3652
return run_tests
3653
3654
# Add all tests from doctest strings
3655
def load_tests(loader, tests, none):
3656
import doctest
3657
tests.addTests(doctest.DocTestSuite())
3658
return tests
3659
3126
3660
3127
if __name__ == '__main__':
3661
try:
3662
if should_only_run_tests():
3663
# Call using ./mandos --check [--verbose]
3664
unittest.main()
3665
else:
3666
main()
3667
finally:
3668
logging.shutdown()
3128
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0