2
2
# -*- mode: python; coding: utf-8 -*-
4
4
# Mandos server - give out binary blobs to connecting clients.
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
19
19
# the Free Software Foundation, either version 3 of the License, or
81
78
import dbus.service
82
from gi.repository import GLib
82
from gi.repository import GObject as gobject
83
84
from dbus.mainloop.glib import DBusGMainLoop
86
87
import xml.dom.minidom
89
# Try to find the value of SO_BINDTODEVICE:
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
92
# newer, and it is also the most natural place for it:
93
91
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
94
92
except AttributeError:
96
# This is where SO_BINDTODEVICE was up to and including Python
98
94
from IN import SO_BINDTODEVICE
99
95
except ImportError:
100
# In Python 2.7 it seems to have been removed entirely.
101
# Try running the C preprocessor:
103
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
stdin=subprocess.PIPE,
106
stdout=subprocess.PIPE)
107
stdout = cc.communicate(
108
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
109
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
110
except (OSError, ValueError, IndexError):
112
SO_BINDTODEVICE = None
96
SO_BINDTODEVICE = None
114
98
if sys.version_info.major == 2:
118
102
stored_state_file = "clients.pickle"
120
104
logger = logging.getLogger()
135
119
return interface_index
138
def copy_function(func):
139
"""Make a copy of a function"""
140
if sys.version_info.major == 2:
141
return types.FunctionType(func.func_code,
147
return types.FunctionType(func.__code__,
154
122
def initlogger(debug, level=logging.WARNING):
155
123
"""init logger and add loglevel"""
158
126
syslogger = (logging.handlers.SysLogHandler(
159
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
127
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
128
address = "/dev/log"))
161
129
syslogger.setFormatter(logging.Formatter
162
130
('Mandos [%(process)d]: %(levelname)s:'
164
132
logger.addHandler(syslogger)
167
135
console = logging.StreamHandler()
168
136
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
181
149
class PGPEngine(object):
182
150
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
152
def __init__(self):
185
153
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
188
output = subprocess.check_output(["gpgconf"])
189
for line in output.splitlines():
190
name, text, path = line.split(b":")
195
if e.errno != errno.ENOENT:
197
154
self.gnupgargs = ['--batch',
198
'--homedir', self.tempdir,
155
'--home', self.tempdir,
201
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
203
self.gnupgargs.append("--no-use-agent")
205
160
def __enter__(self):
208
163
def __exit__(self, exc_type, exc_value, traceback):
212
167
def __del__(self):
215
170
def _cleanup(self):
216
171
if self.tempdir is not None:
217
172
# Delete contents of tempdir
218
173
for root, dirs, files in os.walk(self.tempdir,
220
175
for filename in files:
221
176
os.remove(os.path.join(root, filename))
222
177
for dirname in dirs:
235
190
.replace(b"\n", b"\\n")
236
191
.replace(b"\0", b"\\x00"))
239
194
def encrypt(self, data, password):
240
195
passphrase = self.password_encode(password)
241
196
with tempfile.NamedTemporaryFile(
242
197
dir=self.tempdir) as passfile:
243
198
passfile.write(passphrase)
245
proc = subprocess.Popen([self.gpg, '--symmetric',
200
proc = subprocess.Popen(['gpg', '--symmetric',
246
201
'--passphrase-file',
248
203
+ self.gnupgargs,
249
stdin=subprocess.PIPE,
250
stdout=subprocess.PIPE,
251
stderr=subprocess.PIPE)
252
ciphertext, err = proc.communicate(input=data)
204
stdin = subprocess.PIPE,
205
stdout = subprocess.PIPE,
206
stderr = subprocess.PIPE)
207
ciphertext, err = proc.communicate(input = data)
253
208
if proc.returncode != 0:
254
209
raise PGPError(err)
255
210
return ciphertext
257
212
def decrypt(self, data, password):
258
213
passphrase = self.password_encode(password)
259
214
with tempfile.NamedTemporaryFile(
260
dir=self.tempdir) as passfile:
215
dir = self.tempdir) as passfile:
261
216
passfile.write(passphrase)
263
proc = subprocess.Popen([self.gpg, '--decrypt',
218
proc = subprocess.Popen(['gpg', '--decrypt',
264
219
'--passphrase-file',
266
221
+ self.gnupgargs,
267
stdin=subprocess.PIPE,
268
stdout=subprocess.PIPE,
269
stderr=subprocess.PIPE)
270
decrypted_plaintext, err = proc.communicate(input=data)
222
stdin = subprocess.PIPE,
223
stdout = subprocess.PIPE,
224
stderr = subprocess.PIPE)
225
decrypted_plaintext, err = proc.communicate(input = data)
271
226
if proc.returncode != 0:
272
227
raise PGPError(err)
273
228
return decrypted_plaintext
276
# Pretend that we have an Avahi module
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
289
def string_array_to_txt_array(self, t):
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
for s in t), signature="ay")
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
293
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
294
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
295
SERVER_INVALID = 0 # avahi-common/defs.h
296
SERVER_REGISTERING = 1 # avahi-common/defs.h
297
SERVER_RUNNING = 2 # avahi-common/defs.h
298
SERVER_COLLISION = 3 # avahi-common/defs.h
299
SERVER_FAILURE = 4 # avahi-common/defs.h
303
231
class AvahiError(Exception):
304
232
def __init__(self, value, *args, **kwargs):
305
233
self.value = value
535
458
CRD_CERTIFICATE = 1
536
459
E_NO_CERTIFICATE_FOUND = -49
537
460
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
540
463
class session_int(ctypes.Structure):
542
465
session_t = ctypes.POINTER(session_int)
544
466
class certificate_credentials_st(ctypes.Structure):
546
468
certificate_credentials_t = ctypes.POINTER(
547
469
certificate_credentials_st)
548
470
certificate_type_t = ctypes.c_int
550
471
class datum_t(ctypes.Structure):
551
472
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
473
('size', ctypes.c_uint)]
554
474
class openpgp_crt_int(ctypes.Structure):
556
476
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
477
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
478
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
479
credentials_type_t = ctypes.c_int #
560
480
transport_ptr_t = ctypes.c_void_p
561
481
close_request_t = ctypes.c_int
564
484
class Error(Exception):
565
485
# We need to use the class name "GnuTLS" here, since this
566
486
# exception might be raised from within GnuTLS.__init__,
567
487
# which is called before the assignment to the "gnutls"
568
488
# global variable has happened.
569
def __init__(self, message=None, code=None, args=()):
489
def __init__(self, message = None, code = None, args=()):
570
490
# Default usage is by a message string, but if a return
571
491
# code is passed, convert it to a string with
572
492
# gnutls.strerror()
641
561
return _error_code(result)
642
562
result = func(*arguments)
645
565
# Unless otherwise indicated, the function declarations below are
646
566
# all from the gnutls/gnutls.h C header file.
649
569
priority_set_direct = _library.gnutls_priority_set_direct
650
570
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
651
571
ctypes.POINTER(ctypes.c_char_p)]
652
572
priority_set_direct.restype = _error_code
654
574
init = _library.gnutls_init
655
575
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
656
576
init.restype = _error_code
658
578
set_default_priority = _library.gnutls_set_default_priority
659
579
set_default_priority.argtypes = [session_t]
660
580
set_default_priority.restype = _error_code
662
582
record_send = _library.gnutls_record_send
663
583
record_send.argtypes = [session_t, ctypes.c_void_p,
665
585
record_send.restype = ctypes.c_ssize_t
666
586
record_send.errcheck = _retry_on_error
668
588
certificate_allocate_credentials = (
669
589
_library.gnutls_certificate_allocate_credentials)
670
590
certificate_allocate_credentials.argtypes = [
671
591
ctypes.POINTER(certificate_credentials_t)]
672
592
certificate_allocate_credentials.restype = _error_code
674
594
certificate_free_credentials = (
675
595
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
596
certificate_free_credentials.argtypes = [certificate_credentials_t]
678
597
certificate_free_credentials.restype = None
680
599
handshake_set_private_extensions = (
681
600
_library.gnutls_handshake_set_private_extensions)
682
601
handshake_set_private_extensions.argtypes = [session_t,
684
603
handshake_set_private_extensions.restype = None
686
605
credentials_set = _library.gnutls_credentials_set
687
606
credentials_set.argtypes = [session_t, credentials_type_t,
689
608
credentials_set.restype = _error_code
691
610
strerror = _library.gnutls_strerror
692
611
strerror.argtypes = [ctypes.c_int]
693
612
strerror.restype = ctypes.c_char_p
695
614
certificate_type_get = _library.gnutls_certificate_type_get
696
615
certificate_type_get.argtypes = [session_t]
697
616
certificate_type_get.restype = _error_code
699
618
certificate_get_peers = _library.gnutls_certificate_get_peers
700
619
certificate_get_peers.argtypes = [session_t,
701
620
ctypes.POINTER(ctypes.c_uint)]
702
621
certificate_get_peers.restype = ctypes.POINTER(datum_t)
704
623
global_set_log_level = _library.gnutls_global_set_log_level
705
624
global_set_log_level.argtypes = [ctypes.c_int]
706
625
global_set_log_level.restype = None
708
627
global_set_log_function = _library.gnutls_global_set_log_function
709
628
global_set_log_function.argtypes = [log_func]
710
629
global_set_log_function.restype = None
712
631
deinit = _library.gnutls_deinit
713
632
deinit.argtypes = [session_t]
714
633
deinit.restype = None
716
635
handshake = _library.gnutls_handshake
717
636
handshake.argtypes = [session_t]
718
637
handshake.restype = _error_code
719
638
handshake.errcheck = _retry_on_error
721
640
transport_set_ptr = _library.gnutls_transport_set_ptr
722
641
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
723
642
transport_set_ptr.restype = None
725
644
bye = _library.gnutls_bye
726
645
bye.argtypes = [session_t, close_request_t]
727
646
bye.restype = _error_code
728
647
bye.errcheck = _retry_on_error
730
649
check_version = _library.gnutls_check_version
731
650
check_version.argtypes = [ctypes.c_char_p]
732
651
check_version.restype = ctypes.c_char_p
734
653
# All the function declarations below are from gnutls/openpgp.h
736
655
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
656
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
657
openpgp_crt_init.restype = _error_code
740
659
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
660
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
661
ctypes.POINTER(datum_t),
743
662
openpgp_crt_fmt_t]
744
663
openpgp_crt_import.restype = _error_code
746
665
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
666
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
667
ctypes.POINTER(ctypes.c_uint)]
749
668
openpgp_crt_verify_self.restype = _error_code
751
670
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
671
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
672
openpgp_crt_deinit.restype = None
755
674
openpgp_crt_get_fingerprint = (
756
675
_library.gnutls_openpgp_crt_get_fingerprint)
757
676
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
787
704
checker: subprocess.Popen(); a running checker process used
788
705
to see if the client lives.
789
706
'None' if no process is running.
790
checker_callback_tag: a GLib event source tag, or None
707
checker_callback_tag: a gobject event source tag, or None
791
708
checker_command: string; External command which is run to check
792
709
if client lives. %() expansions are done at
793
710
runtime with vars(self) as dict, so that for
794
711
instance %(name)s can be used in the command.
795
checker_initiator_tag: a GLib event source tag, or None
712
checker_initiator_tag: a gobject event source tag, or None
796
713
created: datetime.datetime(); (UTC) object creation
797
714
client_structure: Object describing what attributes a client has
798
715
and is used for storing the client at exit
799
716
current_checker_command: string; current running checker_command
800
disable_initiator_tag: a GLib event source tag, or None
717
disable_initiator_tag: a gobject event source tag, or None
802
719
fingerprint: string (40 or 32 hexadecimal digits); used to
803
720
uniquely identify the client
852
769
for client_name in config.sections():
853
770
section = dict(config.items(client_name))
854
771
client = settings[client_name] = {}
856
773
client["host"] = section["host"]
857
774
# Reformat values from string types to Python types
858
775
client["approved_by_default"] = config.getboolean(
859
776
client_name, "approved_by_default")
860
777
client["enabled"] = config.getboolean(client_name,
863
780
# Uppercase and remove spaces from fingerprint for later
864
781
# comparison purposes with return value from the
865
782
# fingerprint() function
866
783
client["fingerprint"] = (section["fingerprint"].upper()
867
784
.replace(" ", ""))
868
785
if "secret" in section:
869
client["secret"] = codecs.decode(section["secret"]
786
client["secret"] = section["secret"].decode("base64")
872
787
elif "secfile" in section:
873
788
with open(os.path.expanduser(os.path.expandvars
874
789
(section["secfile"])),
927
842
self.changedstate = multiprocessing_manager.Condition(
928
843
multiprocessing_manager.Lock())
929
844
self.client_structure = [attr
930
for attr in self.__dict__.keys()
845
for attr in self.__dict__.iterkeys()
931
846
if not attr.startswith("_")]
932
847
self.client_structure.append("client_structure")
934
849
for name, t in inspect.getmembers(
935
850
type(self), lambda obj: isinstance(obj, property)):
936
851
if not name.startswith("_"):
937
852
self.client_structure.append(name)
939
854
# Send notice to process children that client state has changed
940
855
def send_changedstate(self):
941
856
with self.changedstate:
942
857
self.changedstate.notify_all()
944
859
def enable(self):
945
860
"""Start this client's checker and timeout hooks"""
946
861
if getattr(self, "enabled", False):
960
875
logger.info("Disabling client %s", self.name)
961
876
if getattr(self, "disable_initiator_tag", None) is not None:
962
GLib.source_remove(self.disable_initiator_tag)
877
gobject.source_remove(self.disable_initiator_tag)
963
878
self.disable_initiator_tag = None
964
879
self.expires = None
965
880
if getattr(self, "checker_initiator_tag", None) is not None:
966
GLib.source_remove(self.checker_initiator_tag)
881
gobject.source_remove(self.checker_initiator_tag)
967
882
self.checker_initiator_tag = None
968
883
self.stop_checker()
969
884
self.enabled = False
971
886
self.send_changedstate()
972
# Do not run this again if called by a GLib.timeout_add
887
# Do not run this again if called by a gobject.timeout_add
975
890
def __del__(self):
978
893
def init_checker(self):
979
894
# Schedule a new checker to be started an 'interval' from now,
980
895
# and every interval from then on.
981
896
if self.checker_initiator_tag is not None:
982
GLib.source_remove(self.checker_initiator_tag)
983
self.checker_initiator_tag = GLib.timeout_add(
897
gobject.source_remove(self.checker_initiator_tag)
898
self.checker_initiator_tag = gobject.timeout_add(
984
899
int(self.interval.total_seconds() * 1000),
985
900
self.start_checker)
986
901
# Schedule a disable() when 'timeout' has passed
987
902
if self.disable_initiator_tag is not None:
988
GLib.source_remove(self.disable_initiator_tag)
989
self.disable_initiator_tag = GLib.timeout_add(
903
gobject.source_remove(self.disable_initiator_tag)
904
self.disable_initiator_tag = gobject.timeout_add(
990
905
int(self.timeout.total_seconds() * 1000), self.disable)
991
906
# Also start a new checker *right now*.
992
907
self.start_checker()
994
909
def checker_callback(self, source, condition, connection,
996
911
"""The checker has completed, so take appropriate actions."""
1015
930
logger.warning("Checker for %(name)s crashed?",
1019
934
def checked_ok(self):
1020
935
"""Assert that the client has been seen, alive and well."""
1021
936
self.last_checked_ok = datetime.datetime.utcnow()
1022
937
self.last_checker_status = 0
1023
938
self.last_checker_signal = None
1024
939
self.bump_timeout()
1026
941
def bump_timeout(self, timeout=None):
1027
942
"""Bump up the timeout for this client."""
1028
943
if timeout is None:
1029
944
timeout = self.timeout
1030
945
if self.disable_initiator_tag is not None:
1031
GLib.source_remove(self.disable_initiator_tag)
946
gobject.source_remove(self.disable_initiator_tag)
1032
947
self.disable_initiator_tag = None
1033
948
if getattr(self, "enabled", False):
1034
self.disable_initiator_tag = GLib.timeout_add(
949
self.disable_initiator_tag = gobject.timeout_add(
1035
950
int(timeout.total_seconds() * 1000), self.disable)
1036
951
self.expires = datetime.datetime.utcnow() + timeout
1038
953
def need_approval(self):
1039
954
self.last_approval_request = datetime.datetime.utcnow()
1041
956
def start_checker(self):
1042
957
"""Start a new checker subprocess if one is not running.
1044
959
If a checker already exists, leave it running and do
1046
961
# The reason for not killing a running checker is that if we
1079
994
# The exception is when not debugging but nevertheless
1080
995
# running in the foreground; use the previously
1081
996
# created wnull.
1082
popen_args = {"close_fds": True,
997
popen_args = { "close_fds": True,
1085
1000
if (not self.server_settings["debug"]
1086
1001
and self.server_settings["foreground"]):
1087
1002
popen_args.update({"stdout": wnull,
1089
pipe = multiprocessing.Pipe(duplex=False)
1004
pipe = multiprocessing.Pipe(duplex = False)
1090
1005
self.checker = multiprocessing.Process(
1092
args=(pipe[1], subprocess.call, command),
1007
args = (pipe[1], subprocess.call, command),
1008
kwargs = popen_args)
1094
1009
self.checker.start()
1095
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
1010
self.checker_callback_tag = gobject.io_add_watch(
1011
pipe[0].fileno(), gobject.IO_IN,
1097
1012
self.checker_callback, pipe[0], command)
1098
# Re-run this periodically if run by GLib.timeout_add
1013
# Re-run this periodically if run by gobject.timeout_add
1101
1016
def stop_checker(self):
1102
1017
"""Force the checker process, if any, to stop."""
1103
1018
if self.checker_callback_tag:
1104
GLib.source_remove(self.checker_callback_tag)
1019
gobject.source_remove(self.checker_callback_tag)
1105
1020
self.checker_callback_tag = None
1106
1021
if getattr(self, "checker", None) is None:
1138
1053
func._dbus_name = func.__name__
1139
1054
if func._dbus_name.endswith("_dbus_property"):
1140
1055
func._dbus_name = func._dbus_name[:-14]
1141
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1056
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1144
1059
return decorator
1147
1062
def dbus_interface_annotations(dbus_interface):
1148
1063
"""Decorator for marking functions returning interface annotations
1152
1067
@dbus_interface_annotations("org.example.Interface")
1153
1068
def _foo(self): # Function name does not matter
1154
1069
return {"org.freedesktop.DBus.Deprecated": "true",
1155
1070
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1159
1074
def decorator(func):
1160
1075
func._dbus_is_interface = True
1161
1076
func._dbus_interface = dbus_interface
1162
1077
func._dbus_name = dbus_interface
1165
1080
return decorator
1168
1083
def dbus_annotations(annotations):
1169
1084
"""Decorator to annotate D-Bus methods, signals or properties
1172
1087
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1173
1088
"org.freedesktop.DBus.Property."
1174
1089
"EmitsChangedSignal": "false"})
1230
1145
for cls in self.__class__.__mro__
1231
1146
for name, athing in
1232
1147
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1234
1149
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1236
path_keyword='object_path',
1237
connection_keyword='connection')
1150
out_signature = "s",
1151
path_keyword = 'object_path',
1152
connection_keyword = 'connection')
1238
1153
def Introspect(self, object_path, connection):
1239
1154
"""Overloading of standard D-Bus method.
1241
1156
Inserts annotation tags on methods and signals.
1243
1158
xmlstring = dbus.service.Object.Introspect(self, object_path,
1246
1161
document = xml.dom.minidom.parseString(xmlstring)
1248
1163
for if_tag in document.getElementsByTagName("interface"):
1249
1164
# Add annotation tags
1250
1165
for typ in ("method", "signal"):
1466
1381
except AttributeError:
1467
1382
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1470
1384
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1471
1385
"""A D-Bus object with an ObjectManager.
1473
1387
Classes inheriting from this exposes the standard
1474
1388
GetManagedObjects call and the InterfacesAdded and
1475
1389
InterfacesRemoved signals on the standard
1476
1390
"org.freedesktop.DBus.ObjectManager" interface.
1478
1392
Note: No signals are sent automatically; they must be sent
1481
1395
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1482
out_signature="a{oa{sa{sv}}}")
1396
out_signature = "a{oa{sa{sv}}}")
1483
1397
def GetManagedObjects(self):
1484
1398
"""This function must be overridden"""
1485
1399
raise NotImplementedError()
1487
1401
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1488
signature="oa{sa{sv}}")
1402
signature = "oa{sa{sv}}")
1489
1403
def InterfacesAdded(self, object_path, interfaces_and_properties):
1492
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1406
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1493
1407
def InterfacesRemoved(self, object_path, interfaces):
1496
1410
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1498
path_keyword='object_path',
1499
connection_keyword='connection')
1411
out_signature = "s",
1412
path_keyword = 'object_path',
1413
connection_keyword = 'connection')
1500
1414
def Introspect(self, object_path, connection):
1501
1415
"""Overloading of standard D-Bus method.
1503
1417
Override return argument name of GetManagedObjects to be
1504
1418
"objpath_interfaces_and_properties"
1544
1457
dbus.service.Object, it will add alternate D-Bus attributes with
1545
1458
interface names according to the "alt_interface_names" mapping.
1548
1461
@alternate_dbus_interfaces({"org.example.Interface":
1549
1462
"net.example.AlternateInterface"})
1550
1463
class SampleDBusObject(dbus.service.Object):
1551
1464
@dbus.service.method("org.example.Interface")
1552
1465
def SampleDBusMethod():
1555
1468
The above "SampleDBusMethod" on "SampleDBusObject" will be
1556
1469
reachable via two interfaces: "org.example.Interface" and
1557
1470
"net.example.AlternateInterface", the latter of which will have
1558
1471
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1559
1472
"true", unless "deprecate" is passed with a False value.
1561
1474
This works for methods and signals, and also for D-Bus properties
1562
1475
(from DBusObjectWithProperties) and interfaces (from the
1563
1476
dbus_interface_annotations decorator).
1566
1479
def wrapper(cls):
1567
1480
for orig_interface_name, alt_interface_name in (
1568
1481
alt_interface_names.items()):
1583
1496
interface_names.add(alt_interface)
1584
1497
# Is this a D-Bus signal?
1585
1498
if getattr(attribute, "_dbus_is_signal", False):
1586
# Extract the original non-method undecorated
1587
# function by black magic
1588
1499
if sys.version_info.major == 2:
1500
# Extract the original non-method undecorated
1501
# function by black magic
1589
1502
nonmethod_func = (dict(
1590
1503
zip(attribute.func_code.co_freevars,
1591
1504
attribute.__closure__))
1592
1505
["func"].cell_contents)
1594
nonmethod_func = (dict(
1595
zip(attribute.__code__.co_freevars,
1596
attribute.__closure__))
1597
["func"].cell_contents)
1507
nonmethod_func = attribute
1598
1508
# Create a new, but exactly alike, function
1599
1509
# object, and decorate it to be a new D-Bus signal
1600
1510
# with the alternate D-Bus interface name
1601
new_function = copy_function(nonmethod_func)
1511
if sys.version_info.major == 2:
1512
new_function = types.FunctionType(
1513
nonmethod_func.func_code,
1514
nonmethod_func.func_globals,
1515
nonmethod_func.func_name,
1516
nonmethod_func.func_defaults,
1517
nonmethod_func.func_closure)
1519
new_function = types.FunctionType(
1520
nonmethod_func.__code__,
1521
nonmethod_func.__globals__,
1522
nonmethod_func.__name__,
1523
nonmethod_func.__defaults__,
1524
nonmethod_func.__closure__)
1602
1525
new_function = (dbus.service.signal(
1604
1527
attribute._dbus_signature)(new_function))
1712
1642
"se.bsnet.fukt.Mandos"})
1713
1643
class ClientDBus(Client, DBusObjectWithProperties):
1714
1644
"""A Client class using D-Bus
1717
1647
dbus_object_path: dbus.ObjectPath
1718
1648
bus: dbus.SystemBus()
1721
1651
runtime_expansions = (Client.runtime_expansions
1722
1652
+ ("dbus_object_path", ))
1724
1654
_interface = "se.recompile.Mandos.Client"
1726
1656
# dbus.service.Object doesn't use super(), so we can't either.
1728
def __init__(self, bus=None, *args, **kwargs):
1658
def __init__(self, bus = None, *args, **kwargs):
1730
1660
Client.__init__(self, *args, **kwargs)
1731
1661
# Only now, when this client is initialized, can it show up on
1768
1698
dbus_value = transform_func(
1769
1699
type_func(value),
1770
variant_level=variant_level)
1700
variant_level = variant_level)
1771
1701
self.PropertyChanged(dbus.String(dbus_name),
1773
1703
self.PropertiesChanged(
1775
dbus.Dictionary({dbus.String(dbus_name):
1705
dbus.Dictionary({ dbus.String(dbus_name):
1778
1708
setattr(self, attrname, value)
1780
1710
return property(lambda self: getattr(self, attrname), setter)
1782
1712
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1783
1713
approvals_pending = notifychangeproperty(dbus.Boolean,
1784
1714
"ApprovalPending",
1786
1716
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1787
1717
last_enabled = notifychangeproperty(datetime_to_dbus,
1789
1719
checker = notifychangeproperty(
1790
1720
dbus.Boolean, "CheckerRunning",
1791
type_func=lambda checker: checker is not None)
1721
type_func = lambda checker: checker is not None)
1792
1722
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1793
1723
"LastCheckedOK")
1794
1724
last_checker_status = notifychangeproperty(dbus.Int16,
1799
1729
"ApprovedByDefault")
1800
1730
approval_delay = notifychangeproperty(
1801
1731
dbus.UInt64, "ApprovalDelay",
1802
type_func=lambda td: td.total_seconds() * 1000)
1732
type_func = lambda td: td.total_seconds() * 1000)
1803
1733
approval_duration = notifychangeproperty(
1804
1734
dbus.UInt64, "ApprovalDuration",
1805
type_func=lambda td: td.total_seconds() * 1000)
1735
type_func = lambda td: td.total_seconds() * 1000)
1806
1736
host = notifychangeproperty(dbus.String, "Host")
1807
1737
timeout = notifychangeproperty(
1808
1738
dbus.UInt64, "Timeout",
1809
type_func=lambda td: td.total_seconds() * 1000)
1739
type_func = lambda td: td.total_seconds() * 1000)
1810
1740
extended_timeout = notifychangeproperty(
1811
1741
dbus.UInt64, "ExtendedTimeout",
1812
type_func=lambda td: td.total_seconds() * 1000)
1742
type_func = lambda td: td.total_seconds() * 1000)
1813
1743
interval = notifychangeproperty(
1814
1744
dbus.UInt64, "Interval",
1815
type_func=lambda td: td.total_seconds() * 1000)
1745
type_func = lambda td: td.total_seconds() * 1000)
1816
1746
checker_command = notifychangeproperty(dbus.String, "Checker")
1817
1747
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1818
1748
invalidate_only=True)
1820
1750
del notifychangeproperty
1822
1752
def __del__(self, *args, **kwargs):
1824
1754
self.remove_from_connection()
1859
1789
# Emit D-Bus signal
1860
1790
self.CheckerStarted(self.current_checker_command)
1863
1793
def _reset_approved(self):
1864
1794
self.approved = None
1867
1797
def approve(self, value=True):
1868
1798
self.approved = value
1869
GLib.timeout_add(int(self.approval_duration.total_seconds()
1870
* 1000), self._reset_approved)
1799
gobject.timeout_add(int(self.approval_duration.total_seconds()
1800
* 1000), self._reset_approved)
1871
1801
self.send_changedstate()
1873
# D-Bus methods, signals & properties
1803
## D-Bus methods, signals & properties
1879
1809
# CheckerCompleted - signal
1880
1810
@dbus.service.signal(_interface, signature="nxs")
1881
1811
def CheckerCompleted(self, exitcode, waitstatus, command):
1885
1815
# CheckerStarted - signal
1886
1816
@dbus.service.signal(_interface, signature="s")
1887
1817
def CheckerStarted(self, command):
1891
1821
# PropertyChanged - signal
1892
1822
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1893
1823
@dbus.service.signal(_interface, signature="sv")
1894
1824
def PropertyChanged(self, property, value):
1898
1828
# GotSecret - signal
1899
1829
@dbus.service.signal(_interface)
1900
1830
def GotSecret(self):
1903
1833
server to mandos-client
1907
1837
# Rejected - signal
1908
1838
@dbus.service.signal(_interface, signature="s")
1909
1839
def Rejected(self, reason):
1913
1843
# NeedApproval - signal
1914
1844
@dbus.service.signal(_interface, signature="tb")
1915
1845
def NeedApproval(self, timeout, default):
1917
1847
return self.need_approval()
1921
1851
# Approve - method
1922
1852
@dbus.service.method(_interface, in_signature="b")
1923
1853
def Approve(self, value):
1924
1854
self.approve(value)
1926
1856
# CheckedOK - method
1927
1857
@dbus.service.method(_interface)
1928
1858
def CheckedOK(self):
1929
1859
self.checked_ok()
1931
1861
# Enable - method
1932
1862
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1933
1863
@dbus.service.method(_interface)
1934
1864
def Enable(self):
1938
1868
# StartChecker - method
1939
1869
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1940
1870
@dbus.service.method(_interface)
1941
1871
def StartChecker(self):
1943
1873
self.start_checker()
1945
1875
# Disable - method
1946
1876
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1947
1877
@dbus.service.method(_interface)
1948
1878
def Disable(self):
1952
1882
# StopChecker - method
1953
1883
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1954
1884
@dbus.service.method(_interface)
1955
1885
def StopChecker(self):
1956
1886
self.stop_checker()
1960
1890
# ApprovalPending - property
1961
1891
@dbus_service_property(_interface, signature="b", access="read")
1962
1892
def ApprovalPending_dbus_property(self):
1963
1893
return dbus.Boolean(bool(self.approvals_pending))
1965
1895
# ApprovedByDefault - property
1966
1896
@dbus_service_property(_interface,
2047
1977
self.checked_ok()
2049
1979
return datetime_to_dbus(self.last_checked_ok)
2051
1981
# LastCheckerStatus - property
2052
1982
@dbus_service_property(_interface, signature="n", access="read")
2053
1983
def LastCheckerStatus_dbus_property(self):
2054
1984
return dbus.Int16(self.last_checker_status)
2056
1986
# Expires - property
2057
1987
@dbus_service_property(_interface, signature="s", access="read")
2058
1988
def Expires_dbus_property(self):
2059
1989
return datetime_to_dbus(self.expires)
2061
1991
# LastApprovalRequest - property
2062
1992
@dbus_service_property(_interface, signature="s", access="read")
2063
1993
def LastApprovalRequest_dbus_property(self):
2064
1994
return datetime_to_dbus(self.last_approval_request)
2066
1996
# Timeout - property
2067
1997
@dbus_service_property(_interface,
2189
2119
class ClientHandler(socketserver.BaseRequestHandler, object):
2190
2120
"""A class to handle client connections.
2192
2122
Instantiated once for each connection to handle it.
2193
2123
Note: This will run in its own forked process."""
2195
2125
def handle(self):
2196
2126
with contextlib.closing(self.server.child_pipe) as child_pipe:
2197
2127
logger.info("TCP connection from: %s",
2198
2128
str(self.client_address))
2199
2129
logger.debug("Pipe FD: %d",
2200
2130
self.server.child_pipe.fileno())
2202
2132
session = gnutls.ClientSession(self.request)
2204
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2205
# "+AES-256-CBC", "+SHA1",
2206
# "+COMP-NULL", "+CTYPE-OPENPGP",
2134
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2135
# "+AES-256-CBC", "+SHA1",
2136
# "+COMP-NULL", "+CTYPE-OPENPGP",
2208
2138
# Use a fallback default, since this MUST be set.
2209
2139
priority = self.server.gnutls_priority
2210
2140
if priority is None:
2211
2141
priority = "NORMAL"
2212
gnutls.priority_set_direct(session._c_object,
2213
priority.encode("utf-8"),
2142
gnutls.priority_set_direct(session._c_object, priority,
2216
2145
# Start communication using the Mandos protocol
2217
2146
# Get protocol number
2218
2147
line = self.request.makefile().readline()
2383
2312
class MultiprocessingMixIn(object):
2384
2313
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2386
2315
def sub_process_main(self, request, address):
2388
2317
self.finish_request(request, address)
2389
2318
except Exception:
2390
2319
self.handle_error(request, address)
2391
2320
self.close_request(request)
2393
2322
def process_request(self, request, address):
2394
2323
"""Start a new process to process the request."""
2395
proc = multiprocessing.Process(target=self.sub_process_main,
2396
args=(request, address))
2324
proc = multiprocessing.Process(target = self.sub_process_main,
2325
args = (request, address))
2401
2330
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2402
2331
""" adds a pipe to the MixIn """
2404
2333
def process_request(self, request, client_address):
2405
2334
"""Overrides and wraps the original process_request().
2407
2336
This function creates a new pipe in self.pipe
2409
2338
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2411
2340
proc = MultiprocessingMixIn.process_request(self, request,
2412
2341
client_address)
2413
2342
self.child_pipe.close()
2414
2343
self.add_pipe(parent_pipe, proc)
2416
2345
def add_pipe(self, parent_pipe, proc):
2417
2346
"""Dummy function; override as necessary"""
2418
2347
raise NotImplementedError()
2467
2395
# socket_wrapper(), if socketfd was set.
2468
2396
socketserver.TCPServer.__init__(self, server_address,
2469
2397
RequestHandlerClass)
2471
2399
def server_bind(self):
2472
2400
"""This overrides the normal server_bind() function
2473
2401
to bind to an interface if one was specified, and also NOT to
2474
2402
bind to an address or port if they were not specified."""
2475
global SO_BINDTODEVICE
2476
2403
if self.interface is not None:
2477
2404
if SO_BINDTODEVICE is None:
2478
# Fall back to a hard-coded value which seems to be
2480
logger.warning("SO_BINDTODEVICE not found, trying 25")
2481
SO_BINDTODEVICE = 25
2483
self.socket.setsockopt(
2484
socket.SOL_SOCKET, SO_BINDTODEVICE,
2485
(self.interface + "\0").encode("utf-8"))
2486
except socket.error as error:
2487
if error.errno == errno.EPERM:
2488
logger.error("No permission to bind to"
2489
" interface %s", self.interface)
2490
elif error.errno == errno.ENOPROTOOPT:
2491
logger.error("SO_BINDTODEVICE not available;"
2492
" cannot bind to interface %s",
2494
elif error.errno == errno.ENODEV:
2495
logger.error("Interface %s does not exist,"
2496
" cannot bind", self.interface)
2405
logger.error("SO_BINDTODEVICE does not exist;"
2406
" cannot bind to interface %s",
2410
self.socket.setsockopt(
2411
socket.SOL_SOCKET, SO_BINDTODEVICE,
2412
(self.interface + "\0").encode("utf-8"))
2413
except socket.error as error:
2414
if error.errno == errno.EPERM:
2415
logger.error("No permission to bind to"
2416
" interface %s", self.interface)
2417
elif error.errno == errno.ENOPROTOOPT:
2418
logger.error("SO_BINDTODEVICE not available;"
2419
" cannot bind to interface %s",
2421
elif error.errno == errno.ENODEV:
2422
logger.error("Interface %s does not exist,"
2423
" cannot bind", self.interface)
2499
2426
# Only bind(2) the socket if we really need to.
2500
2427
if self.server_address[0] or self.server_address[1]:
2501
2428
if not self.server_address[0]:
2502
2429
if self.address_family == socket.AF_INET6:
2503
any_address = "::" # in6addr_any
2430
any_address = "::" # in6addr_any
2505
any_address = "0.0.0.0" # INADDR_ANY
2432
any_address = "0.0.0.0" # INADDR_ANY
2506
2433
self.server_address = (any_address,
2507
2434
self.server_address[1])
2508
2435
elif not self.server_address[1]:
2542
2469
self.gnutls_priority = gnutls_priority
2543
2470
IPv6_TCPServer.__init__(self, server_address,
2544
2471
RequestHandlerClass,
2545
interface=interface,
2472
interface = interface,
2473
use_ipv6 = use_ipv6,
2474
socketfd = socketfd)
2549
2476
def server_activate(self):
2550
2477
if self.enabled:
2551
2478
return socketserver.TCPServer.server_activate(self)
2553
2480
def enable(self):
2554
2481
self.enabled = True
2556
2483
def add_pipe(self, parent_pipe, proc):
2557
2484
# Call "handle_ipc" for both data and EOF events
2485
gobject.io_add_watch(
2559
2486
parent_pipe.fileno(),
2560
GLib.IO_IN | GLib.IO_HUP,
2487
gobject.IO_IN | gobject.IO_HUP,
2561
2488
functools.partial(self.handle_ipc,
2562
parent_pipe=parent_pipe,
2489
parent_pipe = parent_pipe,
2565
2492
def handle_ipc(self, source, condition,
2566
2493
parent_pipe=None,
2568
2495
client_object=None):
2569
2496
# error, or the other end of multiprocessing.Pipe has closed
2570
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2497
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2571
2498
# Wait for other process to exit
2575
2502
# Read a request from the child
2576
2503
request = parent_pipe.recv()
2577
2504
command = request[0]
2579
2506
if command == 'init':
2580
2507
fpr = request[1]
2581
2508
address = request[2]
2583
for c in self.clients.values():
2510
for c in self.clients.itervalues():
2584
2511
if c.fingerprint == fpr:
2649
2576
>>> rfc3339_duration_to_delta("P1DT3M20S")
2650
2577
datetime.timedelta(1, 200)
2653
2580
# Parsing an RFC 3339 duration with regular expressions is not
2654
2581
# possible - there would have to be multiple places for the same
2655
2582
# values, like seconds. The current code, while more esoteric, is
2656
2583
# cleaner without depending on a parsing library. If Python had a
2657
2584
# built-in library for parsing we would use it, but we'd like to
2658
2585
# avoid excessive use of external libraries.
2660
2587
# New type for defining tokens, syntax, and semantics all-in-one
2661
2588
Token = collections.namedtuple("Token", (
2662
2589
"regexp", # To match token; if "value" is not None, must have
2849
2773
parser.add_argument("--no-zeroconf", action="store_false",
2850
2774
dest="zeroconf", help="Do not use Zeroconf",
2853
2777
options = parser.parse_args()
2855
2779
if options.check:
2857
2781
fail_count, test_count = doctest.testmod()
2858
2782
sys.exit(os.EX_OK if fail_count == 0 else 1)
2860
2784
# Default values for config file for server-global settings
2861
server_defaults = {"interface": "",
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
2868
"servicename": "Mandos",
2874
"statedir": "/var/lib/mandos",
2875
"foreground": "False",
2785
server_defaults = { "interface": "",
2790
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2791
":+SIGN-DSA-SHA256",
2792
"servicename": "Mandos",
2798
"statedir": "/var/lib/mandos",
2799
"foreground": "False",
2879
2803
# Parse config file for server-global settings
2880
2804
server_config = configparser.SafeConfigParser(server_defaults)
2881
2805
del server_defaults
3006
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3008
2927
except OSError as error:
3009
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3010
.format(uid, gid, os.strerror(error.errno)))
3011
2928
if error.errno != errno.EPERM:
3015
2932
# Enable all possible GnuTLS debugging
3017
2934
# "Use a log level over 10 to enable all debugging options."
3018
2935
# - GnuTLS manual
3019
2936
gnutls.global_set_log_level(11)
3021
2938
@gnutls.log_func
3022
2939
def debug_gnutls(level, string):
3023
2940
logger.debug("GnuTLS: %s", string[:-1])
3025
2942
gnutls.global_set_log_function(debug_gnutls)
3027
2944
# Redirect stdin so all checkers get /dev/null
3028
2945
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3029
2946
os.dup2(null, sys.stdin.fileno())
3033
2950
# Need to fork before connecting to D-Bus
3034
2951
if not foreground:
3035
2952
# Close all input and output, do double fork, etc.
3038
# multiprocessing will use threads, so before we use GLib we need
3039
# to inform GLib that threads will be used.
2955
# multiprocessing will use threads, so before we use gobject we
2956
# need to inform gobject that threads will be used.
2957
gobject.threads_init()
3042
2959
global main_loop
3043
2960
# From the Avahi example code
3044
2961
DBusGMainLoop(set_as_default=True)
3045
main_loop = GLib.MainLoop()
2962
main_loop = gobject.MainLoop()
3046
2963
bus = dbus.SystemBus()
3047
2964
# End of Avahi example code
3062
2979
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3063
2980
service = AvahiServiceToSyslog(
3064
name=server_settings["servicename"],
3065
servicetype="_mandos._tcp",
2981
name = server_settings["servicename"],
2982
servicetype = "_mandos._tcp",
2983
protocol = protocol,
3068
2985
if server_settings["interface"]:
3069
2986
service.interface = if_nametoindex(
3070
2987
server_settings["interface"].encode("utf-8"))
3072
2989
global multiprocessing_manager
3073
2990
multiprocessing_manager = multiprocessing.Manager()
3075
2992
client_class = Client
3077
client_class = functools.partial(ClientDBus, bus=bus)
2994
client_class = functools.partial(ClientDBus, bus = bus)
3079
2996
client_settings = Client.config_parser(client_config)
3080
2997
old_client_settings = {}
3081
2998
clients_data = {}
3083
3000
# This is used to redirect stdout and stderr for checker processes
3085
wnull = open(os.devnull, "w") # A writable /dev/null
3002
wnull = open(os.devnull, "w") # A writable /dev/null
3086
3003
# Only used if server is running in foreground but not in debug
3088
3005
if debug or not foreground:
3091
3008
# Get client data and settings from last running state.
3092
3009
if server_settings["restore"]:
3094
3011
with open(stored_state_path, "rb") as stored_state:
3095
if sys.version_info.major == 2:
3096
clients_data, old_client_settings = pickle.load(
3099
bytes_clients_data, bytes_old_client_settings = (
3100
pickle.load(stored_state, encoding="bytes"))
3101
# Fix bytes to strings
3104
clients_data = {(key.decode("utf-8")
3105
if isinstance(key, bytes)
3108
bytes_clients_data.items()}
3109
del bytes_clients_data
3110
for key in clients_data:
3111
value = {(k.decode("utf-8")
3112
if isinstance(k, bytes) else k): v
3114
clients_data[key].items()}
3115
clients_data[key] = value
3117
value["client_structure"] = [
3119
if isinstance(s, bytes)
3121
value["client_structure"]]
3123
for k in ("name", "host"):
3124
if isinstance(value[k], bytes):
3125
value[k] = value[k].decode("utf-8")
3126
# old_client_settings
3128
old_client_settings = {
3129
(key.decode("utf-8")
3130
if isinstance(key, bytes)
3133
bytes_old_client_settings.items()}
3134
del bytes_old_client_settings
3136
for value in old_client_settings.values():
3137
if isinstance(value["host"], bytes):
3138
value["host"] = (value["host"]
3012
clients_data, old_client_settings = pickle.load(
3140
3014
os.remove(stored_state_path)
3141
3015
except IOError as e:
3142
3016
if e.errno == errno.ENOENT:
3242
3116
pidfilename, pid)
3244
3118
del pidfilename
3246
for termsig in (signal.SIGHUP, signal.SIGTERM):
3247
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3248
lambda: main_loop.quit() and False)
3120
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
3121
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
3252
3125
@alternate_dbus_interfaces(
3253
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3126
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3254
3127
class MandosDBusService(DBusObjectWithObjectManager):
3255
3128
"""A D-Bus proxy object"""
3257
3130
def __init__(self):
3258
3131
dbus.service.Object.__init__(self, bus, "/")
3260
3133
_interface = "se.recompile.Mandos"
3262
3135
@dbus.service.signal(_interface, signature="o")
3263
3136
def ClientAdded(self, objpath):
3267
3140
@dbus.service.signal(_interface, signature="ss")
3268
3141
def ClientNotFound(self, fingerprint, address):
3272
3145
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3274
3147
@dbus.service.signal(_interface, signature="os")
3275
3148
def ClientRemoved(self, objpath, name):
3279
3152
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3281
3154
@dbus.service.method(_interface, out_signature="ao")
3282
3155
def GetAllClients(self):
3284
3157
return dbus.Array(c.dbus_object_path for c in
3285
tcp_server.clients.values())
3158
tcp_server.clients.itervalues())
3287
3160
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3289
3162
@dbus.service.method(_interface,
3309
3182
self.client_removed_signal(c)
3311
3184
raise KeyError(object_path)
3315
3188
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3316
out_signature="a{oa{sa{sv}}}")
3189
out_signature = "a{oa{sa{sv}}}")
3317
3190
def GetManagedObjects(self):
3318
3191
"""D-Bus method"""
3319
3192
return dbus.Dictionary(
3320
{client.dbus_object_path:
3322
{interface: client.GetAll(interface)
3324
client._get_all_interface_names()})
3325
for client in tcp_server.clients.values()})
3193
{ client.dbus_object_path:
3195
{ interface: client.GetAll(interface)
3197
client._get_all_interface_names()})
3198
for client in tcp_server.clients.values()})
3327
3200
def client_added_signal(self, client):
3328
3201
"""Send the new standard signal and the old signal"""
3348
3221
self.ClientRemoved(client.dbus_object_path,
3351
3224
mandos_dbus_service = MandosDBusService()
3353
# Save modules to variables to exempt the modules from being
3354
# unloaded before the function registered with atexit() is run.
3355
mp = multiprocessing
3359
3227
"Cleanup function; run on exit"
3361
3229
service.cleanup()
3363
mp.active_children()
3231
multiprocessing.active_children()
3365
3233
if not (tcp_server.clients or client_settings):
3368
3236
# Store client before exiting. Secrets are encrypted with key
3369
3237
# based on what config file has. If config file is
3370
3238
# removed/edited, old secret will thus be unrecovable.
3372
3240
with PGPEngine() as pgp:
3373
for client in tcp_server.clients.values():
3241
for client in tcp_server.clients.itervalues():
3374
3242
key = client_settings[client.name]["secret"]
3375
3243
client.encrypted_secret = pgp.encrypt(client.secret,
3377
3245
client_dict = {}
3379
3247
# A list of attributes that can not be pickled
3381
exclude = {"bus", "changedstate", "secret",
3382
"checker", "server_settings"}
3249
exclude = { "bus", "changedstate", "secret",
3250
"checker", "server_settings" }
3383
3251
for name, typ in inspect.getmembers(dbus.service
3385
3253
exclude.add(name)
3387
3255
client_dict["encrypted_secret"] = (client
3388
3256
.encrypted_secret)
3389
3257
for attr in client.client_structure:
3390
3258
if attr not in exclude:
3391
3259
client_dict[attr] = getattr(client, attr)
3393
3261
clients[client.name] = client_dict
3394
3262
del client_settings[client.name]["secret"]
3397
3265
with tempfile.NamedTemporaryFile(