To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 804
- compare with another revision
- download diff
- download tarball
- view history from revision 804
- Committer: Teddy Hogeborn
- Date: 2016-02-28 12:33:38 UTC
- Revision ID: teddy@recompile.se-20160228123338-l1v2745d89r4xofe
Also accept python-gi as alternative to python-gobject
* debian/control (Source: mandos/Build-Depends-Indep): Change
"python-gobject" to "python-gobject | python-gi".
(Package: mandos/Depends): - '' -
* debian/control (Source: mandos/Build-Depends-Indep): Change
"python-gobject" to "python-gobject | python-gi".
(Package: mandos/Depends): - '' -
added
removed
mandos
1
#!/usr/bin/python
1
#!/usr/bin/python2.7
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
19
19
# the Free Software Foundation, either version 3 of the License, or
23
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
25
# GNU General Public License for more details.
26
#
26
#
27
27
# You should have received a copy of the GNU General Public License
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
#
30
#
31
31
# Contact the authors at <mandos@recompile.se>.
32
#
32
#
33
33
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
try:
38
from future_builtins import *
39
except ImportError:
40
pass
37
from future_builtins import *
41
38
42
39
try:
43
40
import SocketServer as socketserver
79
76
80
77
import dbus
81
78
import dbus.service
82
from gi.repository import GLib
79
try:
80
import gobject
81
except ImportError:
82
from gi.repository import GObject as gobject
83
import avahi
83
84
from dbus.mainloop.glib import DBusGMainLoop
84
85
import ctypes
85
86
import ctypes.util
86
87
import xml.dom.minidom
87
88
import inspect
88
89
89
# Try to find the value of SO_BINDTODEVICE:
90
90
try:
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
92
# newer, and it is also the most natural place for it:
93
91
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
94
92
except AttributeError:
95
93
try:
96
# This is where SO_BINDTODEVICE was up to and including Python
97
# 2.6, and also 3.2:
98
94
from IN import SO_BINDTODEVICE
99
95
except ImportError:
100
# In Python 2.7 it seems to have been removed entirely.
101
# Try running the C preprocessor:
102
try:
103
cc = subprocess.Popen(["cc", "--language=c", "-E",
104
"/dev/stdin"],
105
stdin=subprocess.PIPE,
106
stdout=subprocess.PIPE)
107
stdout = cc.communicate(
108
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
109
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
110
except (OSError, ValueError, IndexError):
111
# No value found
112
SO_BINDTODEVICE = None
96
SO_BINDTODEVICE = None
113
97
114
98
if sys.version_info.major == 2:
115
99
str = unicode
116
100
117
version = "1.7.11"
101
version = "1.7.1"
118
102
stored_state_file = "clients.pickle"
119
103
120
104
logger = logging.getLogger()
124
108
if_nametoindex = ctypes.cdll.LoadLibrary(
125
109
ctypes.util.find_library("c")).if_nametoindex
126
110
except (OSError, AttributeError):
127
111
128
112
def if_nametoindex(interface):
129
113
"Get an interface index the hard way, i.e. using fcntl()"
130
114
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
135
119
return interface_index
136
120
137
121
138
def copy_function(func):
139
"""Make a copy of a function"""
140
if sys.version_info.major == 2:
141
return types.FunctionType(func.func_code,
142
func.func_globals,
143
func.func_name,
144
func.func_defaults,
145
func.func_closure)
146
else:
147
return types.FunctionType(func.__code__,
148
func.__globals__,
149
func.__name__,
150
func.__defaults__,
151
func.__closure__)
152
153
154
122
def initlogger(debug, level=logging.WARNING):
155
123
"""init logger and add loglevel"""
156
124
157
125
global syslogger
158
126
syslogger = (logging.handlers.SysLogHandler(
159
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
160
address="/dev/log"))
127
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
128
address = "/dev/log"))
161
129
syslogger.setFormatter(logging.Formatter
162
130
('Mandos [%(process)d]: %(levelname)s:'
163
131
' %(message)s'))
164
132
logger.addHandler(syslogger)
165
133
166
134
if debug:
167
135
console = logging.StreamHandler()
168
136
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
180
148
181
149
class PGPEngine(object):
182
150
"""A simple class for OpenPGP symmetric encryption & decryption"""
183
151
184
152
def __init__(self):
185
153
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
186
self.gpg = "gpg"
187
try:
188
output = subprocess.check_output(["gpgconf"])
189
for line in output.splitlines():
190
name, text, path = line.split(b":")
191
if name == "gpg":
192
self.gpg = path
193
break
194
except OSError as e:
195
if e.errno != errno.ENOENT:
196
raise
197
154
self.gnupgargs = ['--batch',
198
'--homedir', self.tempdir,
155
'--home', self.tempdir,
199
156
'--force-mdc',
200
'--quiet']
201
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
203
self.gnupgargs.append("--no-use-agent")
204
157
'--quiet',
158
'--no-use-agent']
159
205
160
def __enter__(self):
206
161
return self
207
162
208
163
def __exit__(self, exc_type, exc_value, traceback):
209
164
self._cleanup()
210
165
return False
211
166
212
167
def __del__(self):
213
168
self._cleanup()
214
169
215
170
def _cleanup(self):
216
171
if self.tempdir is not None:
217
172
# Delete contents of tempdir
218
173
for root, dirs, files in os.walk(self.tempdir,
219
topdown=False):
174
topdown = False):
220
175
for filename in files:
221
176
os.remove(os.path.join(root, filename))
222
177
for dirname in dirs:
224
179
# Remove tempdir
225
180
os.rmdir(self.tempdir)
226
181
self.tempdir = None
227
182
228
183
def password_encode(self, password):
229
184
# Passphrase can not be empty and can not contain newlines or
230
185
# NUL bytes. So we prefix it and hex encode it.
235
190
.replace(b"\n", b"\\n")
236
191
.replace(b"\0", b"\\x00"))
237
192
return encoded
238
193
239
194
def encrypt(self, data, password):
240
195
passphrase = self.password_encode(password)
241
196
with tempfile.NamedTemporaryFile(
242
197
dir=self.tempdir) as passfile:
243
198
passfile.write(passphrase)
244
199
passfile.flush()
245
proc = subprocess.Popen([self.gpg, '--symmetric',
200
proc = subprocess.Popen(['gpg', '--symmetric',
246
201
'--passphrase-file',
247
202
passfile.name]
248
203
+ self.gnupgargs,
249
stdin=subprocess.PIPE,
250
stdout=subprocess.PIPE,
251
stderr=subprocess.PIPE)
252
ciphertext, err = proc.communicate(input=data)
204
stdin = subprocess.PIPE,
205
stdout = subprocess.PIPE,
206
stderr = subprocess.PIPE)
207
ciphertext, err = proc.communicate(input = data)
253
208
if proc.returncode != 0:
254
209
raise PGPError(err)
255
210
return ciphertext
256
211
257
212
def decrypt(self, data, password):
258
213
passphrase = self.password_encode(password)
259
214
with tempfile.NamedTemporaryFile(
260
dir=self.tempdir) as passfile:
215
dir = self.tempdir) as passfile:
261
216
passfile.write(passphrase)
262
217
passfile.flush()
263
proc = subprocess.Popen([self.gpg, '--decrypt',
218
proc = subprocess.Popen(['gpg', '--decrypt',
264
219
'--passphrase-file',
265
220
passfile.name]
266
221
+ self.gnupgargs,
267
stdin=subprocess.PIPE,
268
stdout=subprocess.PIPE,
269
stderr=subprocess.PIPE)
270
decrypted_plaintext, err = proc.communicate(input=data)
222
stdin = subprocess.PIPE,
223
stdout = subprocess.PIPE,
224
stderr = subprocess.PIPE)
225
decrypted_plaintext, err = proc.communicate(input = data)
271
226
if proc.returncode != 0:
272
227
raise PGPError(err)
273
228
return decrypted_plaintext
274
229
275
230
276
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
def string_array_to_txt_array(self, t):
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
for s in t), signature="ay")
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
293
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
294
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
295
SERVER_INVALID = 0 # avahi-common/defs.h
296
SERVER_REGISTERING = 1 # avahi-common/defs.h
297
SERVER_RUNNING = 2 # avahi-common/defs.h
298
SERVER_COLLISION = 3 # avahi-common/defs.h
299
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
302
303
231
class AvahiError(Exception):
304
232
def __init__(self, value, *args, **kwargs):
305
233
self.value = value
317
245
318
246
class AvahiService(object):
319
247
"""An Avahi (Zeroconf) service.
320
248
321
249
Attributes:
322
250
interface: integer; avahi.IF_UNSPEC or an interface index.
323
251
Used to optionally bind to the specified interface.
335
263
server: D-Bus Server
336
264
bus: dbus.SystemBus()
337
265
"""
338
266
339
267
def __init__(self,
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
268
interface = avahi.IF_UNSPEC,
269
name = None,
270
servicetype = None,
271
port = None,
272
TXT = None,
273
domain = "",
274
host = "",
275
max_renames = 32768,
276
protocol = avahi.PROTO_UNSPEC,
277
bus = None):
350
278
self.interface = interface
351
279
self.name = name
352
280
self.type = servicetype
361
289
self.server = None
362
290
self.bus = bus
363
291
self.entry_group_state_changed_match = None
364
292
365
293
def rename(self, remove=True):
366
294
"""Derived from the Avahi example code"""
367
295
if self.rename_count >= self.max_renames:
387
315
logger.critical("D-Bus Exception", exc_info=error)
388
316
self.cleanup()
389
317
os._exit(1)
390
318
391
319
def remove(self):
392
320
"""Derived from the Avahi example code"""
393
321
if self.entry_group_state_changed_match is not None:
395
323
self.entry_group_state_changed_match = None
396
324
if self.group is not None:
397
325
self.group.Reset()
398
326
399
327
def add(self):
400
328
"""Derived from the Avahi example code"""
401
329
self.remove()
418
346
dbus.UInt16(self.port),
419
347
avahi.string_array_to_txt_array(self.TXT))
420
348
self.group.Commit()
421
349
422
350
def entry_group_state_changed(self, state, error):
423
351
"""Derived from the Avahi example code"""
424
352
logger.debug("Avahi entry group state change: %i", state)
425
353
426
354
if state == avahi.ENTRY_GROUP_ESTABLISHED:
427
355
logger.debug("Zeroconf service established.")
428
356
elif state == avahi.ENTRY_GROUP_COLLISION:
432
360
logger.critical("Avahi: Error in group state changed %s",
433
361
str(error))
434
362
raise AvahiGroupError("State changed: {!s}".format(error))
435
363
436
364
def cleanup(self):
437
365
"""Derived from the Avahi example code"""
438
366
if self.group is not None:
443
371
pass
444
372
self.group = None
445
373
self.remove()
446
374
447
375
def server_state_changed(self, state, error=None):
448
376
"""Derived from the Avahi example code"""
449
377
logger.debug("Avahi server state change: %i", state)
478
406
logger.debug("Unknown state: %r", state)
479
407
else:
480
408
logger.debug("Unknown state: %r: %r", state, error)
481
409
482
410
def activate(self):
483
411
"""Derived from the Avahi example code"""
484
412
if self.server is None:
501
429
.format(self.name)))
502
430
return ret
503
431
504
505
432
# Pretend that we have a GnuTLS module
506
433
class GnuTLS(object):
507
434
"""This isn't so much a class as it is a module-like namespace.
508
435
It is instantiated once, and simulates having a GnuTLS module."""
509
510
library = ctypes.util.find_library("gnutls")
511
if library is None:
512
library = ctypes.util.find_library("gnutls-deb0")
513
_library = ctypes.cdll.LoadLibrary(library)
514
del library
515
_need_version = b"3.3.0"
516
436
437
_library = ctypes.cdll.LoadLibrary(
438
ctypes.util.find_library("gnutls"))
439
_need_version = "3.3.0"
517
440
def __init__(self):
518
441
# Need to use class name "GnuTLS" here, since this method is
519
442
# called before the assignment to the "gnutls" global variable
521
444
if GnuTLS.check_version(self._need_version) is None:
522
445
raise GnuTLS.Error("Needs GnuTLS {} or later"
523
446
.format(self._need_version))
524
447
525
448
# Unless otherwise indicated, the constants and types below are
526
449
# all from the gnutls/gnutls.h C header file.
527
450
528
451
# Constants
529
452
E_SUCCESS = 0
530
453
E_INTERRUPTED = -52
535
458
CRD_CERTIFICATE = 1
536
459
E_NO_CERTIFICATE_FOUND = -49
537
460
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
461
539
462
# Types
540
463
class session_int(ctypes.Structure):
541
464
_fields_ = []
542
465
session_t = ctypes.POINTER(session_int)
543
544
466
class certificate_credentials_st(ctypes.Structure):
545
467
_fields_ = []
546
468
certificate_credentials_t = ctypes.POINTER(
547
469
certificate_credentials_st)
548
470
certificate_type_t = ctypes.c_int
549
550
471
class datum_t(ctypes.Structure):
551
472
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
473
('size', ctypes.c_uint)]
553
554
474
class openpgp_crt_int(ctypes.Structure):
555
475
_fields_ = []
556
476
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
477
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
478
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
479
credentials_type_t = ctypes.c_int #
560
480
transport_ptr_t = ctypes.c_void_p
561
481
close_request_t = ctypes.c_int
562
482
563
483
# Exceptions
564
484
class Error(Exception):
565
485
# We need to use the class name "GnuTLS" here, since this
566
486
# exception might be raised from within GnuTLS.__init__,
567
487
# which is called before the assignment to the "gnutls"
568
488
# global variable has happened.
569
def __init__(self, message=None, code=None, args=()):
489
def __init__(self, message = None, code = None, args=()):
570
490
# Default usage is by a message string, but if a return
571
491
# code is passed, convert it to a string with
572
492
# gnutls.strerror()
575
495
message = GnuTLS.strerror(code)
576
496
return super(GnuTLS.Error, self).__init__(
577
497
message, *args)
578
498
579
499
class CertificateSecurityError(Error):
580
500
pass
581
501
582
502
# Classes
583
503
class Credentials(object):
584
504
def __init__(self):
586
506
gnutls.certificate_allocate_credentials(
587
507
ctypes.byref(self._c_object))
588
508
self.type = gnutls.CRD_CERTIFICATE
589
509
590
510
def __del__(self):
591
511
gnutls.certificate_free_credentials(self._c_object)
592
512
593
513
class ClientSession(object):
594
def __init__(self, socket, credentials=None):
514
def __init__(self, socket, credentials = None):
595
515
self._c_object = gnutls.session_t()
596
516
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
517
gnutls.set_default_priority(self._c_object)
605
525
ctypes.cast(credentials._c_object,
606
526
ctypes.c_void_p))
607
527
self.credentials = credentials
608
528
609
529
def __del__(self):
610
530
gnutls.deinit(self._c_object)
611
531
612
532
def handshake(self):
613
533
return gnutls.handshake(self._c_object)
614
534
615
535
def send(self, data):
616
536
data = bytes(data)
617
537
data_len = len(data)
619
539
data_len -= gnutls.record_send(self._c_object,
620
540
data[-data_len:],
621
541
data_len)
622
542
623
543
def bye(self):
624
544
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
625
545
626
546
# Error handling functions
627
547
def _error_code(result):
628
548
"""A function to raise exceptions on errors, suitable
630
550
if result >= 0:
631
551
return result
632
552
if result == gnutls.E_NO_CERTIFICATE_FOUND:
633
raise gnutls.CertificateSecurityError(code=result)
634
raise gnutls.Error(code=result)
635
553
raise gnutls.CertificateSecurityError(code = result)
554
raise gnutls.Error(code = result)
555
636
556
def _retry_on_error(result, func, arguments):
637
557
"""A function to retry on some errors, suitable
638
558
for the 'errcheck' attribute on ctypes functions"""
641
561
return _error_code(result)
642
562
result = func(*arguments)
643
563
return result
644
564
645
565
# Unless otherwise indicated, the function declarations below are
646
566
# all from the gnutls/gnutls.h C header file.
647
567
648
568
# Functions
649
569
priority_set_direct = _library.gnutls_priority_set_direct
650
570
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
651
571
ctypes.POINTER(ctypes.c_char_p)]
652
572
priority_set_direct.restype = _error_code
653
573
654
574
init = _library.gnutls_init
655
575
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
656
576
init.restype = _error_code
657
577
658
578
set_default_priority = _library.gnutls_set_default_priority
659
579
set_default_priority.argtypes = [session_t]
660
580
set_default_priority.restype = _error_code
661
581
662
582
record_send = _library.gnutls_record_send
663
583
record_send.argtypes = [session_t, ctypes.c_void_p,
664
584
ctypes.c_size_t]
665
585
record_send.restype = ctypes.c_ssize_t
666
586
record_send.errcheck = _retry_on_error
667
587
668
588
certificate_allocate_credentials = (
669
589
_library.gnutls_certificate_allocate_credentials)
670
590
certificate_allocate_credentials.argtypes = [
671
591
ctypes.POINTER(certificate_credentials_t)]
672
592
certificate_allocate_credentials.restype = _error_code
673
593
674
594
certificate_free_credentials = (
675
595
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
596
certificate_free_credentials.argtypes = [certificate_credentials_t]
678
597
certificate_free_credentials.restype = None
679
598
680
599
handshake_set_private_extensions = (
681
600
_library.gnutls_handshake_set_private_extensions)
682
601
handshake_set_private_extensions.argtypes = [session_t,
683
602
ctypes.c_int]
684
603
handshake_set_private_extensions.restype = None
685
604
686
605
credentials_set = _library.gnutls_credentials_set
687
606
credentials_set.argtypes = [session_t, credentials_type_t,
688
607
ctypes.c_void_p]
689
608
credentials_set.restype = _error_code
690
609
691
610
strerror = _library.gnutls_strerror
692
611
strerror.argtypes = [ctypes.c_int]
693
612
strerror.restype = ctypes.c_char_p
694
613
695
614
certificate_type_get = _library.gnutls_certificate_type_get
696
615
certificate_type_get.argtypes = [session_t]
697
616
certificate_type_get.restype = _error_code
698
617
699
618
certificate_get_peers = _library.gnutls_certificate_get_peers
700
619
certificate_get_peers.argtypes = [session_t,
701
620
ctypes.POINTER(ctypes.c_uint)]
702
621
certificate_get_peers.restype = ctypes.POINTER(datum_t)
703
622
704
623
global_set_log_level = _library.gnutls_global_set_log_level
705
624
global_set_log_level.argtypes = [ctypes.c_int]
706
625
global_set_log_level.restype = None
707
626
708
627
global_set_log_function = _library.gnutls_global_set_log_function
709
628
global_set_log_function.argtypes = [log_func]
710
629
global_set_log_function.restype = None
711
630
712
631
deinit = _library.gnutls_deinit
713
632
deinit.argtypes = [session_t]
714
633
deinit.restype = None
715
634
716
635
handshake = _library.gnutls_handshake
717
636
handshake.argtypes = [session_t]
718
637
handshake.restype = _error_code
719
638
handshake.errcheck = _retry_on_error
720
639
721
640
transport_set_ptr = _library.gnutls_transport_set_ptr
722
641
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
723
642
transport_set_ptr.restype = None
724
643
725
644
bye = _library.gnutls_bye
726
645
bye.argtypes = [session_t, close_request_t]
727
646
bye.restype = _error_code
728
647
bye.errcheck = _retry_on_error
729
648
730
649
check_version = _library.gnutls_check_version
731
650
check_version.argtypes = [ctypes.c_char_p]
732
651
check_version.restype = ctypes.c_char_p
733
652
734
653
# All the function declarations below are from gnutls/openpgp.h
735
654
736
655
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
656
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
657
openpgp_crt_init.restype = _error_code
739
658
740
659
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
660
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
661
ctypes.POINTER(datum_t),
743
662
openpgp_crt_fmt_t]
744
663
openpgp_crt_import.restype = _error_code
745
664
746
665
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
666
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
667
ctypes.POINTER(ctypes.c_uint)]
749
668
openpgp_crt_verify_self.restype = _error_code
750
669
751
670
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
671
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
672
openpgp_crt_deinit.restype = None
754
673
755
674
openpgp_crt_get_fingerprint = (
756
675
_library.gnutls_openpgp_crt_get_fingerprint)
757
676
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
759
678
ctypes.POINTER(
760
679
ctypes.c_size_t)]
761
680
openpgp_crt_get_fingerprint.restype = _error_code
762
681
763
682
# Remove non-public functions
764
683
del _error_code, _retry_on_error
765
684
# Create the global "gnutls" object, simulating a module
766
685
gnutls = GnuTLS()
767
686
768
769
687
def call_pipe(connection, # : multiprocessing.Connection
770
688
func, *args, **kwargs):
771
689
"""This function is meant to be called by multiprocessing.Process
772
690
773
691
This function runs func(*args, **kwargs), and writes the resulting
774
692
return value on the provided multiprocessing.Connection.
775
693
"""
776
694
connection.send(func(*args, **kwargs))
777
695
connection.close()
778
696
779
780
697
class Client(object):
781
698
"""A representation of a client host served by this server.
782
699
783
700
Attributes:
784
701
approved: bool(); 'None' if not yet approved/disapproved
785
702
approval_delay: datetime.timedelta(); Time to wait for approval
787
704
checker: subprocess.Popen(); a running checker process used
788
705
to see if the client lives.
789
706
'None' if no process is running.
790
checker_callback_tag: a GLib event source tag, or None
707
checker_callback_tag: a gobject event source tag, or None
791
708
checker_command: string; External command which is run to check
792
709
if client lives. %() expansions are done at
793
710
runtime with vars(self) as dict, so that for
794
711
instance %(name)s can be used in the command.
795
checker_initiator_tag: a GLib event source tag, or None
712
checker_initiator_tag: a gobject event source tag, or None
796
713
created: datetime.datetime(); (UTC) object creation
797
714
client_structure: Object describing what attributes a client has
798
715
and is used for storing the client at exit
799
716
current_checker_command: string; current running checker_command
800
disable_initiator_tag: a GLib event source tag, or None
717
disable_initiator_tag: a gobject event source tag, or None
801
718
enabled: bool()
802
719
fingerprint: string (40 or 32 hexadecimal digits); used to
803
720
uniquely identify the client
822
739
disabled, or None
823
740
server_settings: The server_settings dict from main()
824
741
"""
825
742
826
743
runtime_expansions = ("approval_delay", "approval_duration",
827
744
"created", "enabled", "expires",
828
745
"fingerprint", "host", "interval",
839
756
"approved_by_default": "True",
840
757
"enabled": "True",
841
758
}
842
759
843
760
@staticmethod
844
761
def config_parser(config):
845
762
"""Construct a new dict of client settings of this form:
852
769
for client_name in config.sections():
853
770
section = dict(config.items(client_name))
854
771
client = settings[client_name] = {}
855
772
856
773
client["host"] = section["host"]
857
774
# Reformat values from string types to Python types
858
775
client["approved_by_default"] = config.getboolean(
859
776
client_name, "approved_by_default")
860
777
client["enabled"] = config.getboolean(client_name,
861
778
"enabled")
862
779
863
780
# Uppercase and remove spaces from fingerprint for later
864
781
# comparison purposes with return value from the
865
782
# fingerprint() function
866
783
client["fingerprint"] = (section["fingerprint"].upper()
867
784
.replace(" ", ""))
868
785
if "secret" in section:
869
client["secret"] = codecs.decode(section["secret"]
870
.encode("utf-8"),
871
"base64")
786
client["secret"] = section["secret"].decode("base64")
872
787
elif "secfile" in section:
873
788
with open(os.path.expanduser(os.path.expandvars
874
789
(section["secfile"])),
889
804
client["last_approval_request"] = None
890
805
client["last_checked_ok"] = None
891
806
client["last_checker_status"] = -2
892
807
893
808
return settings
894
895
def __init__(self, settings, name=None, server_settings=None):
809
810
def __init__(self, settings, name = None, server_settings=None):
896
811
self.name = name
897
812
if server_settings is None:
898
813
server_settings = {}
900
815
# adding all client settings
901
816
for setting, value in settings.items():
902
817
setattr(self, setting, value)
903
818
904
819
if self.enabled:
905
820
if not hasattr(self, "last_enabled"):
906
821
self.last_enabled = datetime.datetime.utcnow()
910
825
else:
911
826
self.last_enabled = None
912
827
self.expires = None
913
828
914
829
logger.debug("Creating client %r", self.name)
915
830
logger.debug(" Fingerprint: %s", self.fingerprint)
916
831
self.created = settings.get("created",
917
832
datetime.datetime.utcnow())
918
833
919
834
# attributes specific for this server instance
920
835
self.checker = None
921
836
self.checker_initiator_tag = None
927
842
self.changedstate = multiprocessing_manager.Condition(
928
843
multiprocessing_manager.Lock())
929
844
self.client_structure = [attr
930
for attr in self.__dict__.keys()
845
for attr in self.__dict__.iterkeys()
931
846
if not attr.startswith("_")]
932
847
self.client_structure.append("client_structure")
933
848
934
849
for name, t in inspect.getmembers(
935
850
type(self), lambda obj: isinstance(obj, property)):
936
851
if not name.startswith("_"):
937
852
self.client_structure.append(name)
938
853
939
854
# Send notice to process children that client state has changed
940
855
def send_changedstate(self):
941
856
with self.changedstate:
942
857
self.changedstate.notify_all()
943
858
944
859
def enable(self):
945
860
"""Start this client's checker and timeout hooks"""
946
861
if getattr(self, "enabled", False):
951
866
self.last_enabled = datetime.datetime.utcnow()
952
867
self.init_checker()
953
868
self.send_changedstate()
954
869
955
870
def disable(self, quiet=True):
956
871
"""Disable this client."""
957
872
if not getattr(self, "enabled", False):
959
874
if not quiet:
960
875
logger.info("Disabling client %s", self.name)
961
876
if getattr(self, "disable_initiator_tag", None) is not None:
962
GLib.source_remove(self.disable_initiator_tag)
877
gobject.source_remove(self.disable_initiator_tag)
963
878
self.disable_initiator_tag = None
964
879
self.expires = None
965
880
if getattr(self, "checker_initiator_tag", None) is not None:
966
GLib.source_remove(self.checker_initiator_tag)
881
gobject.source_remove(self.checker_initiator_tag)
967
882
self.checker_initiator_tag = None
968
883
self.stop_checker()
969
884
self.enabled = False
970
885
if not quiet:
971
886
self.send_changedstate()
972
# Do not run this again if called by a GLib.timeout_add
887
# Do not run this again if called by a gobject.timeout_add
973
888
return False
974
889
975
890
def __del__(self):
976
891
self.disable()
977
892
978
893
def init_checker(self):
979
894
# Schedule a new checker to be started an 'interval' from now,
980
895
# and every interval from then on.
981
896
if self.checker_initiator_tag is not None:
982
GLib.source_remove(self.checker_initiator_tag)
983
self.checker_initiator_tag = GLib.timeout_add(
897
gobject.source_remove(self.checker_initiator_tag)
898
self.checker_initiator_tag = gobject.timeout_add(
984
899
int(self.interval.total_seconds() * 1000),
985
900
self.start_checker)
986
901
# Schedule a disable() when 'timeout' has passed
987
902
if self.disable_initiator_tag is not None:
988
GLib.source_remove(self.disable_initiator_tag)
989
self.disable_initiator_tag = GLib.timeout_add(
903
gobject.source_remove(self.disable_initiator_tag)
904
self.disable_initiator_tag = gobject.timeout_add(
990
905
int(self.timeout.total_seconds() * 1000), self.disable)
991
906
# Also start a new checker *right now*.
992
907
self.start_checker()
993
908
994
909
def checker_callback(self, source, condition, connection,
995
910
command):
996
911
"""The checker has completed, so take appropriate actions."""
999
914
# Read return code from connection (see call_pipe)
1000
915
returncode = connection.recv()
1001
916
connection.close()
1002
917
1003
918
if returncode >= 0:
1004
919
self.last_checker_status = returncode
1005
920
self.last_checker_signal = None
1015
930
logger.warning("Checker for %(name)s crashed?",
1016
931
vars(self))
1017
932
return False
1018
933
1019
934
def checked_ok(self):
1020
935
"""Assert that the client has been seen, alive and well."""
1021
936
self.last_checked_ok = datetime.datetime.utcnow()
1022
937
self.last_checker_status = 0
1023
938
self.last_checker_signal = None
1024
939
self.bump_timeout()
1025
940
1026
941
def bump_timeout(self, timeout=None):
1027
942
"""Bump up the timeout for this client."""
1028
943
if timeout is None:
1029
944
timeout = self.timeout
1030
945
if self.disable_initiator_tag is not None:
1031
GLib.source_remove(self.disable_initiator_tag)
946
gobject.source_remove(self.disable_initiator_tag)
1032
947
self.disable_initiator_tag = None
1033
948
if getattr(self, "enabled", False):
1034
self.disable_initiator_tag = GLib.timeout_add(
949
self.disable_initiator_tag = gobject.timeout_add(
1035
950
int(timeout.total_seconds() * 1000), self.disable)
1036
951
self.expires = datetime.datetime.utcnow() + timeout
1037
952
1038
953
def need_approval(self):
1039
954
self.last_approval_request = datetime.datetime.utcnow()
1040
955
1041
956
def start_checker(self):
1042
957
"""Start a new checker subprocess if one is not running.
1043
958
1044
959
If a checker already exists, leave it running and do
1045
960
nothing."""
1046
961
# The reason for not killing a running checker is that if we
1051
966
# checkers alone, the checker would have to take more time
1052
967
# than 'timeout' for the client to be disabled, which is as it
1053
968
# should be.
1054
969
1055
970
if self.checker is not None and not self.checker.is_alive():
1056
971
logger.warning("Checker was not alive; joining")
1057
972
self.checker.join()
1061
976
# Escape attributes for the shell
1062
977
escaped_attrs = {
1063
978
attr: re.escape(str(getattr(self, attr)))
1064
for attr in self.runtime_expansions}
979
for attr in self.runtime_expansions }
1065
980
try:
1066
981
command = self.checker_command % escaped_attrs
1067
982
except TypeError as error:
1079
994
# The exception is when not debugging but nevertheless
1080
995
# running in the foreground; use the previously
1081
996
# created wnull.
1082
popen_args = {"close_fds": True,
1083
"shell": True,
1084
"cwd": "/"}
997
popen_args = { "close_fds": True,
998
"shell": True,
999
"cwd": "/" }
1085
1000
if (not self.server_settings["debug"]
1086
1001
and self.server_settings["foreground"]):
1087
1002
popen_args.update({"stdout": wnull,
1088
"stderr": wnull})
1089
pipe = multiprocessing.Pipe(duplex=False)
1003
"stderr": wnull })
1004
pipe = multiprocessing.Pipe(duplex = False)
1090
1005
self.checker = multiprocessing.Process(
1091
target=call_pipe,
1092
args=(pipe[1], subprocess.call, command),
1093
kwargs=popen_args)
1006
target = call_pipe,
1007
args = (pipe[1], subprocess.call, command),
1008
kwargs = popen_args)
1094
1009
self.checker.start()
1095
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
1010
self.checker_callback_tag = gobject.io_add_watch(
1011
pipe[0].fileno(), gobject.IO_IN,
1097
1012
self.checker_callback, pipe[0], command)
1098
# Re-run this periodically if run by GLib.timeout_add
1013
# Re-run this periodically if run by gobject.timeout_add
1099
1014
return True
1100
1015
1101
1016
def stop_checker(self):
1102
1017
"""Force the checker process, if any, to stop."""
1103
1018
if self.checker_callback_tag:
1104
GLib.source_remove(self.checker_callback_tag)
1019
gobject.source_remove(self.checker_callback_tag)
1105
1020
self.checker_callback_tag = None
1106
1021
if getattr(self, "checker", None) is None:
1107
1022
return
1116
1031
byte_arrays=False):
1117
1032
"""Decorators for marking methods of a DBusObjectWithProperties to
1118
1033
become properties on the D-Bus.
1119
1034
1120
1035
The decorated method will be called with no arguments by "Get"
1121
1036
and with one argument by "Set".
1122
1037
1123
1038
The parameters, where they are supported, are the same as
1124
1039
dbus.service.method, except there is only "signature", since the
1125
1040
type from Get() and the type sent to Set() is the same.
1129
1044
if byte_arrays and signature != "ay":
1130
1045
raise ValueError("Byte arrays not supported for non-'ay'"
1131
1046
" signature {!r}".format(signature))
1132
1047
1133
1048
def decorator(func):
1134
1049
func._dbus_is_property = True
1135
1050
func._dbus_interface = dbus_interface
1138
1053
func._dbus_name = func.__name__
1139
1054
if func._dbus_name.endswith("_dbus_property"):
1140
1055
func._dbus_name = func._dbus_name[:-14]
1141
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1056
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1142
1057
return func
1143
1058
1144
1059
return decorator
1145
1060
1146
1061
1147
1062
def dbus_interface_annotations(dbus_interface):
1148
1063
"""Decorator for marking functions returning interface annotations
1149
1064
1150
1065
Usage:
1151
1066
1152
1067
@dbus_interface_annotations("org.example.Interface")
1153
1068
def _foo(self): # Function name does not matter
1154
1069
return {"org.freedesktop.DBus.Deprecated": "true",
1155
1070
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1156
1071
"false"}
1157
1072
"""
1158
1073
1159
1074
def decorator(func):
1160
1075
func._dbus_is_interface = True
1161
1076
func._dbus_interface = dbus_interface
1162
1077
func._dbus_name = dbus_interface
1163
1078
return func
1164
1079
1165
1080
return decorator
1166
1081
1167
1082
1168
1083
def dbus_annotations(annotations):
1169
1084
"""Decorator to annotate D-Bus methods, signals or properties
1170
1085
Usage:
1171
1086
1172
1087
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1173
1088
"org.freedesktop.DBus.Property."
1174
1089
"EmitsChangedSignal": "false"})
1176
1091
access="r")
1177
1092
def Property_dbus_property(self):
1178
1093
return dbus.Boolean(False)
1179
1094
1180
1095
See also the DBusObjectWithAnnotations class.
1181
1096
"""
1182
1097
1183
1098
def decorator(func):
1184
1099
func._dbus_annotations = annotations
1185
1100
return func
1186
1101
1187
1102
return decorator
1188
1103
1189
1104
1207
1122
1208
1123
class DBusObjectWithAnnotations(dbus.service.Object):
1209
1124
"""A D-Bus object with annotations.
1210
1125
1211
1126
Classes inheriting from this can use the dbus_annotations
1212
1127
decorator to add annotations to methods or signals.
1213
1128
"""
1214
1129
1215
1130
@staticmethod
1216
1131
def _is_dbus_thing(thing):
1217
1132
"""Returns a function testing if an attribute is a D-Bus thing
1218
1133
1219
1134
If called like _is_dbus_thing("method") it returns a function
1220
1135
suitable for use as predicate to inspect.getmembers().
1221
1136
"""
1222
1137
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1223
1138
False)
1224
1139
1225
1140
def _get_all_dbus_things(self, thing):
1226
1141
"""Returns a generator of (name, attribute) pairs
1227
1142
"""
1230
1145
for cls in self.__class__.__mro__
1231
1146
for name, athing in
1232
1147
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1233
1148
1234
1149
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1235
out_signature="s",
1236
path_keyword='object_path',
1237
connection_keyword='connection')
1150
out_signature = "s",
1151
path_keyword = 'object_path',
1152
connection_keyword = 'connection')
1238
1153
def Introspect(self, object_path, connection):
1239
1154
"""Overloading of standard D-Bus method.
1240
1155
1241
1156
Inserts annotation tags on methods and signals.
1242
1157
"""
1243
1158
xmlstring = dbus.service.Object.Introspect(self, object_path,
1244
1159
connection)
1245
1160
try:
1246
1161
document = xml.dom.minidom.parseString(xmlstring)
1247
1162
1248
1163
for if_tag in document.getElementsByTagName("interface"):
1249
1164
# Add annotation tags
1250
1165
for typ in ("method", "signal"):
1277
1192
if_tag.appendChild(ann_tag)
1278
1193
# Fix argument name for the Introspect method itself
1279
1194
if (if_tag.getAttribute("name")
1280
== dbus.INTROSPECTABLE_IFACE):
1195
== dbus.INTROSPECTABLE_IFACE):
1281
1196
for cn in if_tag.getElementsByTagName("method"):
1282
1197
if cn.getAttribute("name") == "Introspect":
1283
1198
for arg in cn.getElementsByTagName("arg"):
1296
1211
1297
1212
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1298
1213
"""A D-Bus object with properties.
1299
1214
1300
1215
Classes inheriting from this can use the dbus_service_property
1301
1216
decorator to expose methods as D-Bus properties. It exposes the
1302
1217
standard Get(), Set(), and GetAll() methods on the D-Bus.
1303
1218
"""
1304
1219
1305
1220
def _get_dbus_property(self, interface_name, property_name):
1306
1221
"""Returns a bound method if one exists which is a D-Bus
1307
1222
property with the specified name and interface.
1312
1227
if (value._dbus_name == property_name
1313
1228
and value._dbus_interface == interface_name):
1314
1229
return value.__get__(self)
1315
1230
1316
1231
# No such property
1317
1232
raise DBusPropertyNotFound("{}:{}.{}".format(
1318
1233
self.dbus_object_path, interface_name, property_name))
1319
1234
1320
1235
@classmethod
1321
1236
def _get_all_interface_names(cls):
1322
1237
"""Get a sequence of all interfaces supported by an object"""
1325
1240
for x in (inspect.getmro(cls))
1326
1241
for attr in dir(x))
1327
1242
if name is not None)
1328
1243
1329
1244
@dbus.service.method(dbus.PROPERTIES_IFACE,
1330
1245
in_signature="ss",
1331
1246
out_signature="v")
1339
1254
if not hasattr(value, "variant_level"):
1340
1255
return value
1341
1256
return type(value)(value, variant_level=value.variant_level+1)
1342
1257
1343
1258
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1344
1259
def Set(self, interface_name, property_name, value):
1345
1260
"""Standard D-Bus property Set() method, see D-Bus standard.
1357
1272
value = dbus.ByteArray(b''.join(chr(byte)
1358
1273
for byte in value))
1359
1274
prop(value)
1360
1275
1361
1276
@dbus.service.method(dbus.PROPERTIES_IFACE,
1362
1277
in_signature="s",
1363
1278
out_signature="a{sv}")
1364
1279
def GetAll(self, interface_name):
1365
1280
"""Standard D-Bus property GetAll() method, see D-Bus
1366
1281
standard.
1367
1282
1368
1283
Note: Will not include properties with access="write".
1369
1284
"""
1370
1285
properties = {}
1381
1296
properties[name] = value
1382
1297
continue
1383
1298
properties[name] = type(value)(
1384
value, variant_level=value.variant_level + 1)
1299
value, variant_level = value.variant_level + 1)
1385
1300
return dbus.Dictionary(properties, signature="sv")
1386
1301
1387
1302
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1388
1303
def PropertiesChanged(self, interface_name, changed_properties,
1389
1304
invalidated_properties):
1391
1306
standard.
1392
1307
"""
1393
1308
pass
1394
1309
1395
1310
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1396
1311
out_signature="s",
1397
1312
path_keyword='object_path',
1398
1313
connection_keyword='connection')
1399
1314
def Introspect(self, object_path, connection):
1400
1315
"""Overloading of standard D-Bus method.
1401
1316
1402
1317
Inserts property tags and interface annotation tags.
1403
1318
"""
1404
1319
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1406
1321
connection)
1407
1322
try:
1408
1323
document = xml.dom.minidom.parseString(xmlstring)
1409
1324
1410
1325
def make_tag(document, name, prop):
1411
1326
e = document.createElement("property")
1412
1327
e.setAttribute("name", name)
1413
1328
e.setAttribute("type", prop._dbus_signature)
1414
1329
e.setAttribute("access", prop._dbus_access)
1415
1330
return e
1416
1331
1417
1332
for if_tag in document.getElementsByTagName("interface"):
1418
1333
# Add property tags
1419
1334
for tag in (make_tag(document, name, prop)
1466
1381
except AttributeError:
1467
1382
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1468
1383
1469
1470
1384
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1471
1385
"""A D-Bus object with an ObjectManager.
1472
1386
1473
1387
Classes inheriting from this exposes the standard
1474
1388
GetManagedObjects call and the InterfacesAdded and
1475
1389
InterfacesRemoved signals on the standard
1476
1390
"org.freedesktop.DBus.ObjectManager" interface.
1477
1391
1478
1392
Note: No signals are sent automatically; they must be sent
1479
1393
manually.
1480
1394
"""
1481
1395
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1482
out_signature="a{oa{sa{sv}}}")
1396
out_signature = "a{oa{sa{sv}}}")
1483
1397
def GetManagedObjects(self):
1484
1398
"""This function must be overridden"""
1485
1399
raise NotImplementedError()
1486
1400
1487
1401
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1488
signature="oa{sa{sv}}")
1402
signature = "oa{sa{sv}}")
1489
1403
def InterfacesAdded(self, object_path, interfaces_and_properties):
1490
1404
pass
1491
1492
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1405
1406
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1493
1407
def InterfacesRemoved(self, object_path, interfaces):
1494
1408
pass
1495
1409
1496
1410
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1497
out_signature="s",
1498
path_keyword='object_path',
1499
connection_keyword='connection')
1411
out_signature = "s",
1412
path_keyword = 'object_path',
1413
connection_keyword = 'connection')
1500
1414
def Introspect(self, object_path, connection):
1501
1415
"""Overloading of standard D-Bus method.
1502
1416
1503
1417
Override return argument name of GetManagedObjects to be
1504
1418
"objpath_interfaces_and_properties"
1505
1419
"""
1508
1422
connection)
1509
1423
try:
1510
1424
document = xml.dom.minidom.parseString(xmlstring)
1511
1425
1512
1426
for if_tag in document.getElementsByTagName("interface"):
1513
1427
# Fix argument name for the GetManagedObjects method
1514
1428
if (if_tag.getAttribute("name")
1515
== dbus.OBJECT_MANAGER_IFACE):
1429
== dbus.OBJECT_MANAGER_IFACE):
1516
1430
for cn in if_tag.getElementsByTagName("method"):
1517
1431
if (cn.getAttribute("name")
1518
1432
== "GetManagedObjects"):
1528
1442
except (AttributeError, xml.dom.DOMException,
1529
1443
xml.parsers.expat.ExpatError) as error:
1530
1444
logger.error("Failed to override Introspection method",
1531
exc_info=error)
1445
exc_info = error)
1532
1446
return xmlstring
1533
1447
1534
1535
1448
def datetime_to_dbus(dt, variant_level=0):
1536
1449
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1537
1450
if dt is None:
1538
return dbus.String("", variant_level=variant_level)
1451
return dbus.String("", variant_level = variant_level)
1539
1452
return dbus.String(dt.isoformat(), variant_level=variant_level)
1540
1453
1541
1454
1544
1457
dbus.service.Object, it will add alternate D-Bus attributes with
1545
1458
interface names according to the "alt_interface_names" mapping.
1546
1459
Usage:
1547
1460
1548
1461
@alternate_dbus_interfaces({"org.example.Interface":
1549
1462
"net.example.AlternateInterface"})
1550
1463
class SampleDBusObject(dbus.service.Object):
1551
1464
@dbus.service.method("org.example.Interface")
1552
1465
def SampleDBusMethod():
1553
1466
pass
1554
1467
1555
1468
The above "SampleDBusMethod" on "SampleDBusObject" will be
1556
1469
reachable via two interfaces: "org.example.Interface" and
1557
1470
"net.example.AlternateInterface", the latter of which will have
1558
1471
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1559
1472
"true", unless "deprecate" is passed with a False value.
1560
1473
1561
1474
This works for methods and signals, and also for D-Bus properties
1562
1475
(from DBusObjectWithProperties) and interfaces (from the
1563
1476
dbus_interface_annotations decorator).
1564
1477
"""
1565
1478
1566
1479
def wrapper(cls):
1567
1480
for orig_interface_name, alt_interface_name in (
1568
1481
alt_interface_names.items()):
1583
1496
interface_names.add(alt_interface)
1584
1497
# Is this a D-Bus signal?
1585
1498
if getattr(attribute, "_dbus_is_signal", False):
1586
# Extract the original non-method undecorated
1587
# function by black magic
1588
1499
if sys.version_info.major == 2:
1500
# Extract the original non-method undecorated
1501
# function by black magic
1589
1502
nonmethod_func = (dict(
1590
1503
zip(attribute.func_code.co_freevars,
1591
1504
attribute.__closure__))
1592
1505
["func"].cell_contents)
1593
1506
else:
1594
nonmethod_func = (dict(
1595
zip(attribute.__code__.co_freevars,
1596
attribute.__closure__))
1597
["func"].cell_contents)
1507
nonmethod_func = attribute
1598
1508
# Create a new, but exactly alike, function
1599
1509
# object, and decorate it to be a new D-Bus signal
1600
1510
# with the alternate D-Bus interface name
1601
new_function = copy_function(nonmethod_func)
1511
if sys.version_info.major == 2:
1512
new_function = types.FunctionType(
1513
nonmethod_func.func_code,
1514
nonmethod_func.func_globals,
1515
nonmethod_func.func_name,
1516
nonmethod_func.func_defaults,
1517
nonmethod_func.func_closure)
1518
else:
1519
new_function = types.FunctionType(
1520
nonmethod_func.__code__,
1521
nonmethod_func.__globals__,
1522
nonmethod_func.__name__,
1523
nonmethod_func.__defaults__,
1524
nonmethod_func.__closure__)
1602
1525
new_function = (dbus.service.signal(
1603
1526
alt_interface,
1604
1527
attribute._dbus_signature)(new_function))
1608
1531
attribute._dbus_annotations)
1609
1532
except AttributeError:
1610
1533
pass
1611
1612
1534
# Define a creator of a function to call both the
1613
1535
# original and alternate functions, so both the
1614
1536
# original and alternate signals gets sent when
1617
1539
"""This function is a scope container to pass
1618
1540
func1 and func2 to the "call_both" function
1619
1541
outside of its arguments"""
1620
1542
1621
1543
@functools.wraps(func2)
1622
1544
def call_both(*args, **kwargs):
1623
1545
"""This function will emit two D-Bus
1624
1546
signals by calling func1 and func2"""
1625
1547
func1(*args, **kwargs)
1626
1548
func2(*args, **kwargs)
1627
# Make wrapper function look like a D-Bus
1628
# signal
1549
# Make wrapper function look like a D-Bus signal
1629
1550
for name, attr in inspect.getmembers(func2):
1630
1551
if name.startswith("_dbus_"):
1631
1552
setattr(call_both, name, attr)
1632
1553
1633
1554
return call_both
1634
1555
# Create the "call_both" function and add it to
1635
1556
# the class
1645
1566
alt_interface,
1646
1567
attribute._dbus_in_signature,
1647
1568
attribute._dbus_out_signature)
1648
(copy_function(attribute)))
1569
(types.FunctionType(attribute.func_code,
1570
attribute.func_globals,
1571
attribute.func_name,
1572
attribute.func_defaults,
1573
attribute.func_closure)))
1649
1574
# Copy annotations, if any
1650
1575
try:
1651
1576
attr[attrname]._dbus_annotations = dict(
1663
1588
attribute._dbus_access,
1664
1589
attribute._dbus_get_args_options
1665
1590
["byte_arrays"])
1666
(copy_function(attribute)))
1591
(types.FunctionType(
1592
attribute.func_code,
1593
attribute.func_globals,
1594
attribute.func_name,
1595
attribute.func_defaults,
1596
attribute.func_closure)))
1667
1597
# Copy annotations, if any
1668
1598
try:
1669
1599
attr[attrname]._dbus_annotations = dict(
1678
1608
# to the class.
1679
1609
attr[attrname] = (
1680
1610
dbus_interface_annotations(alt_interface)
1681
(copy_function(attribute)))
1611
(types.FunctionType(attribute.func_code,
1612
attribute.func_globals,
1613
attribute.func_name,
1614
attribute.func_defaults,
1615
attribute.func_closure)))
1682
1616
if deprecate:
1683
1617
# Deprecate all alternate interfaces
1684
iname = "_AlternateDBusNames_interface_annotation{}"
1618
iname="_AlternateDBusNames_interface_annotation{}"
1685
1619
for interface_name in interface_names:
1686
1620
1687
1621
@dbus_interface_annotations(interface_name)
1688
1622
def func(self):
1689
return {"org.freedesktop.DBus.Deprecated":
1690
"true"}
1623
return { "org.freedesktop.DBus.Deprecated":
1624
"true" }
1691
1625
# Find an unused name
1692
1626
for aname in (iname.format(i)
1693
1627
for i in itertools.count()):
1697
1631
if interface_names:
1698
1632
# Replace the class with a new subclass of it with
1699
1633
# methods, signals, etc. as created above.
1700
if sys.version_info.major == 2:
1701
cls = type(b"{}Alternate".format(cls.__name__),
1702
(cls, ), attr)
1703
else:
1704
cls = type("{}Alternate".format(cls.__name__),
1705
(cls, ), attr)
1634
cls = type(b"{}Alternate".format(cls.__name__),
1635
(cls, ), attr)
1706
1636
return cls
1707
1637
1708
1638
return wrapper
1709
1639
1710
1640
1712
1642
"se.bsnet.fukt.Mandos"})
1713
1643
class ClientDBus(Client, DBusObjectWithProperties):
1714
1644
"""A Client class using D-Bus
1715
1645
1716
1646
Attributes:
1717
1647
dbus_object_path: dbus.ObjectPath
1718
1648
bus: dbus.SystemBus()
1719
1649
"""
1720
1650
1721
1651
runtime_expansions = (Client.runtime_expansions
1722
1652
+ ("dbus_object_path", ))
1723
1653
1724
1654
_interface = "se.recompile.Mandos.Client"
1725
1655
1726
1656
# dbus.service.Object doesn't use super(), so we can't either.
1727
1728
def __init__(self, bus=None, *args, **kwargs):
1657
1658
def __init__(self, bus = None, *args, **kwargs):
1729
1659
self.bus = bus
1730
1660
Client.__init__(self, *args, **kwargs)
1731
1661
# Only now, when this client is initialized, can it show up on
1737
1667
"/clients/" + client_object_name)
1738
1668
DBusObjectWithProperties.__init__(self, self.bus,
1739
1669
self.dbus_object_path)
1740
1670
1741
1671
def notifychangeproperty(transform_func, dbus_name,
1742
1672
type_func=lambda x: x,
1743
1673
variant_level=1,
1745
1675
_interface=_interface):
1746
1676
""" Modify a variable so that it's a property which announces
1747
1677
its changes to DBus.
1748
1678
1749
1679
transform_fun: Function that takes a value and a variant_level
1750
1680
and transforms it to a D-Bus type.
1751
1681
dbus_name: D-Bus name of the variable
1754
1684
variant_level: D-Bus variant level. Default: 1
1755
1685
"""
1756
1686
attrname = "_{}".format(dbus_name)
1757
1687
1758
1688
def setter(self, value):
1759
1689
if hasattr(self, "dbus_object_path"):
1760
1690
if (not hasattr(self, attrname) or
1767
1697
else:
1768
1698
dbus_value = transform_func(
1769
1699
type_func(value),
1770
variant_level=variant_level)
1700
variant_level = variant_level)
1771
1701
self.PropertyChanged(dbus.String(dbus_name),
1772
1702
dbus_value)
1773
1703
self.PropertiesChanged(
1774
1704
_interface,
1775
dbus.Dictionary({dbus.String(dbus_name):
1776
dbus_value}),
1705
dbus.Dictionary({ dbus.String(dbus_name):
1706
dbus_value }),
1777
1707
dbus.Array())
1778
1708
setattr(self, attrname, value)
1779
1709
1780
1710
return property(lambda self: getattr(self, attrname), setter)
1781
1711
1782
1712
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1783
1713
approvals_pending = notifychangeproperty(dbus.Boolean,
1784
1714
"ApprovalPending",
1785
type_func=bool)
1715
type_func = bool)
1786
1716
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1787
1717
last_enabled = notifychangeproperty(datetime_to_dbus,
1788
1718
"LastEnabled")
1789
1719
checker = notifychangeproperty(
1790
1720
dbus.Boolean, "CheckerRunning",
1791
type_func=lambda checker: checker is not None)
1721
type_func = lambda checker: checker is not None)
1792
1722
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1793
1723
"LastCheckedOK")
1794
1724
last_checker_status = notifychangeproperty(dbus.Int16,
1799
1729
"ApprovedByDefault")
1800
1730
approval_delay = notifychangeproperty(
1801
1731
dbus.UInt64, "ApprovalDelay",
1802
type_func=lambda td: td.total_seconds() * 1000)
1732
type_func = lambda td: td.total_seconds() * 1000)
1803
1733
approval_duration = notifychangeproperty(
1804
1734
dbus.UInt64, "ApprovalDuration",
1805
type_func=lambda td: td.total_seconds() * 1000)
1735
type_func = lambda td: td.total_seconds() * 1000)
1806
1736
host = notifychangeproperty(dbus.String, "Host")
1807
1737
timeout = notifychangeproperty(
1808
1738
dbus.UInt64, "Timeout",
1809
type_func=lambda td: td.total_seconds() * 1000)
1739
type_func = lambda td: td.total_seconds() * 1000)
1810
1740
extended_timeout = notifychangeproperty(
1811
1741
dbus.UInt64, "ExtendedTimeout",
1812
type_func=lambda td: td.total_seconds() * 1000)
1742
type_func = lambda td: td.total_seconds() * 1000)
1813
1743
interval = notifychangeproperty(
1814
1744
dbus.UInt64, "Interval",
1815
type_func=lambda td: td.total_seconds() * 1000)
1745
type_func = lambda td: td.total_seconds() * 1000)
1816
1746
checker_command = notifychangeproperty(dbus.String, "Checker")
1817
1747
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1818
1748
invalidate_only=True)
1819
1749
1820
1750
del notifychangeproperty
1821
1751
1822
1752
def __del__(self, *args, **kwargs):
1823
1753
try:
1824
1754
self.remove_from_connection()
1827
1757
if hasattr(DBusObjectWithProperties, "__del__"):
1828
1758
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1829
1759
Client.__del__(self, *args, **kwargs)
1830
1760
1831
1761
def checker_callback(self, source, condition,
1832
1762
connection, command, *args, **kwargs):
1833
1763
ret = Client.checker_callback(self, source, condition,
1849
1779
| self.last_checker_signal),
1850
1780
dbus.String(command))
1851
1781
return ret
1852
1782
1853
1783
def start_checker(self, *args, **kwargs):
1854
1784
old_checker_pid = getattr(self.checker, "pid", None)
1855
1785
r = Client.start_checker(self, *args, **kwargs)
1859
1789
# Emit D-Bus signal
1860
1790
self.CheckerStarted(self.current_checker_command)
1861
1791
return r
1862
1792
1863
1793
def _reset_approved(self):
1864
1794
self.approved = None
1865
1795
return False
1866
1796
1867
1797
def approve(self, value=True):
1868
1798
self.approved = value
1869
GLib.timeout_add(int(self.approval_duration.total_seconds()
1870
* 1000), self._reset_approved)
1799
gobject.timeout_add(int(self.approval_duration.total_seconds()
1800
* 1000), self._reset_approved)
1871
1801
self.send_changedstate()
1872
1873
# D-Bus methods, signals & properties
1874
1875
# Interfaces
1876
1877
# Signals
1878
1802
1803
## D-Bus methods, signals & properties
1804
1805
## Interfaces
1806
1807
## Signals
1808
1879
1809
# CheckerCompleted - signal
1880
1810
@dbus.service.signal(_interface, signature="nxs")
1881
1811
def CheckerCompleted(self, exitcode, waitstatus, command):
1882
1812
"D-Bus signal"
1883
1813
pass
1884
1814
1885
1815
# CheckerStarted - signal
1886
1816
@dbus.service.signal(_interface, signature="s")
1887
1817
def CheckerStarted(self, command):
1888
1818
"D-Bus signal"
1889
1819
pass
1890
1820
1891
1821
# PropertyChanged - signal
1892
1822
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1893
1823
@dbus.service.signal(_interface, signature="sv")
1894
1824
def PropertyChanged(self, property, value):
1895
1825
"D-Bus signal"
1896
1826
pass
1897
1827
1898
1828
# GotSecret - signal
1899
1829
@dbus.service.signal(_interface)
1900
1830
def GotSecret(self):
1903
1833
server to mandos-client
1904
1834
"""
1905
1835
pass
1906
1836
1907
1837
# Rejected - signal
1908
1838
@dbus.service.signal(_interface, signature="s")
1909
1839
def Rejected(self, reason):
1910
1840
"D-Bus signal"
1911
1841
pass
1912
1842
1913
1843
# NeedApproval - signal
1914
1844
@dbus.service.signal(_interface, signature="tb")
1915
1845
def NeedApproval(self, timeout, default):
1916
1846
"D-Bus signal"
1917
1847
return self.need_approval()
1918
1919
# Methods
1920
1848
1849
## Methods
1850
1921
1851
# Approve - method
1922
1852
@dbus.service.method(_interface, in_signature="b")
1923
1853
def Approve(self, value):
1924
1854
self.approve(value)
1925
1855
1926
1856
# CheckedOK - method
1927
1857
@dbus.service.method(_interface)
1928
1858
def CheckedOK(self):
1929
1859
self.checked_ok()
1930
1860
1931
1861
# Enable - method
1932
1862
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1933
1863
@dbus.service.method(_interface)
1934
1864
def Enable(self):
1935
1865
"D-Bus method"
1936
1866
self.enable()
1937
1867
1938
1868
# StartChecker - method
1939
1869
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1940
1870
@dbus.service.method(_interface)
1941
1871
def StartChecker(self):
1942
1872
"D-Bus method"
1943
1873
self.start_checker()
1944
1874
1945
1875
# Disable - method
1946
1876
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1947
1877
@dbus.service.method(_interface)
1948
1878
def Disable(self):
1949
1879
"D-Bus method"
1950
1880
self.disable()
1951
1881
1952
1882
# StopChecker - method
1953
1883
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1954
1884
@dbus.service.method(_interface)
1955
1885
def StopChecker(self):
1956
1886
self.stop_checker()
1957
1958
# Properties
1959
1887
1888
## Properties
1889
1960
1890
# ApprovalPending - property
1961
1891
@dbus_service_property(_interface, signature="b", access="read")
1962
1892
def ApprovalPending_dbus_property(self):
1963
1893
return dbus.Boolean(bool(self.approvals_pending))
1964
1894
1965
1895
# ApprovedByDefault - property
1966
1896
@dbus_service_property(_interface,
1967
1897
signature="b",
1970
1900
if value is None: # get
1971
1901
return dbus.Boolean(self.approved_by_default)
1972
1902
self.approved_by_default = bool(value)
1973
1903
1974
1904
# ApprovalDelay - property
1975
1905
@dbus_service_property(_interface,
1976
1906
signature="t",
1980
1910
return dbus.UInt64(self.approval_delay.total_seconds()
1981
1911
* 1000)
1982
1912
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1983
1913
1984
1914
# ApprovalDuration - property
1985
1915
@dbus_service_property(_interface,
1986
1916
signature="t",
1990
1920
return dbus.UInt64(self.approval_duration.total_seconds()
1991
1921
* 1000)
1992
1922
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1993
1923
1994
1924
# Name - property
1995
1925
@dbus_annotations(
1996
1926
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1997
1927
@dbus_service_property(_interface, signature="s", access="read")
1998
1928
def Name_dbus_property(self):
1999
1929
return dbus.String(self.name)
2000
1930
2001
1931
# Fingerprint - property
2002
1932
@dbus_annotations(
2003
1933
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2004
1934
@dbus_service_property(_interface, signature="s", access="read")
2005
1935
def Fingerprint_dbus_property(self):
2006
1936
return dbus.String(self.fingerprint)
2007
1937
2008
1938
# Host - property
2009
1939
@dbus_service_property(_interface,
2010
1940
signature="s",
2013
1943
if value is None: # get
2014
1944
return dbus.String(self.host)
2015
1945
self.host = str(value)
2016
1946
2017
1947
# Created - property
2018
1948
@dbus_annotations(
2019
1949
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2020
1950
@dbus_service_property(_interface, signature="s", access="read")
2021
1951
def Created_dbus_property(self):
2022
1952
return datetime_to_dbus(self.created)
2023
1953
2024
1954
# LastEnabled - property
2025
1955
@dbus_service_property(_interface, signature="s", access="read")
2026
1956
def LastEnabled_dbus_property(self):
2027
1957
return datetime_to_dbus(self.last_enabled)
2028
1958
2029
1959
# Enabled - property
2030
1960
@dbus_service_property(_interface,
2031
1961
signature="b",
2037
1967
self.enable()
2038
1968
else:
2039
1969
self.disable()
2040
1970
2041
1971
# LastCheckedOK - property
2042
1972
@dbus_service_property(_interface,
2043
1973
signature="s",
2047
1977
self.checked_ok()
2048
1978
return
2049
1979
return datetime_to_dbus(self.last_checked_ok)
2050
1980
2051
1981
# LastCheckerStatus - property
2052
1982
@dbus_service_property(_interface, signature="n", access="read")
2053
1983
def LastCheckerStatus_dbus_property(self):
2054
1984
return dbus.Int16(self.last_checker_status)
2055
1985
2056
1986
# Expires - property
2057
1987
@dbus_service_property(_interface, signature="s", access="read")
2058
1988
def Expires_dbus_property(self):
2059
1989
return datetime_to_dbus(self.expires)
2060
1990
2061
1991
# LastApprovalRequest - property
2062
1992
@dbus_service_property(_interface, signature="s", access="read")
2063
1993
def LastApprovalRequest_dbus_property(self):
2064
1994
return datetime_to_dbus(self.last_approval_request)
2065
1995
2066
1996
# Timeout - property
2067
1997
@dbus_service_property(_interface,
2068
1998
signature="t",
2083
2013
if (getattr(self, "disable_initiator_tag", None)
2084
2014
is None):
2085
2015
return
2086
GLib.source_remove(self.disable_initiator_tag)
2087
self.disable_initiator_tag = GLib.timeout_add(
2016
gobject.source_remove(self.disable_initiator_tag)
2017
self.disable_initiator_tag = gobject.timeout_add(
2088
2018
int((self.expires - now).total_seconds() * 1000),
2089
2019
self.disable)
2090
2020
2091
2021
# ExtendedTimeout - property
2092
2022
@dbus_service_property(_interface,
2093
2023
signature="t",
2097
2027
return dbus.UInt64(self.extended_timeout.total_seconds()
2098
2028
* 1000)
2099
2029
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2100
2030
2101
2031
# Interval - property
2102
2032
@dbus_service_property(_interface,
2103
2033
signature="t",
2110
2040
return
2111
2041
if self.enabled:
2112
2042
# Reschedule checker run
2113
GLib.source_remove(self.checker_initiator_tag)
2114
self.checker_initiator_tag = GLib.timeout_add(
2043
gobject.source_remove(self.checker_initiator_tag)
2044
self.checker_initiator_tag = gobject.timeout_add(
2115
2045
value, self.start_checker)
2116
self.start_checker() # Start one now, too
2117
2046
self.start_checker() # Start one now, too
2047
2118
2048
# Checker - property
2119
2049
@dbus_service_property(_interface,
2120
2050
signature="s",
2123
2053
if value is None: # get
2124
2054
return dbus.String(self.checker_command)
2125
2055
self.checker_command = str(value)
2126
2056
2127
2057
# CheckerRunning - property
2128
2058
@dbus_service_property(_interface,
2129
2059
signature="b",
2135
2065
self.start_checker()
2136
2066
else:
2137
2067
self.stop_checker()
2138
2068
2139
2069
# ObjectPath - property
2140
2070
@dbus_annotations(
2141
2071
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2142
2072
"org.freedesktop.DBus.Deprecated": "true"})
2143
2073
@dbus_service_property(_interface, signature="o", access="read")
2144
2074
def ObjectPath_dbus_property(self):
2145
return self.dbus_object_path # is already a dbus.ObjectPath
2146
2075
return self.dbus_object_path # is already a dbus.ObjectPath
2076
2147
2077
# Secret = property
2148
2078
@dbus_annotations(
2149
2079
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2154
2084
byte_arrays=True)
2155
2085
def Secret_dbus_property(self, value):
2156
2086
self.secret = bytes(value)
2157
2087
2158
2088
del _interface
2159
2089
2160
2090
2164
2094
self._pipe.send(('init', fpr, address))
2165
2095
if not self._pipe.recv():
2166
2096
raise KeyError(fpr)
2167
2097
2168
2098
def __getattribute__(self, name):
2169
2099
if name == '_pipe':
2170
2100
return super(ProxyClient, self).__getattribute__(name)
2173
2103
if data[0] == 'data':
2174
2104
return data[1]
2175
2105
if data[0] == 'function':
2176
2106
2177
2107
def func(*args, **kwargs):
2178
2108
self._pipe.send(('funcall', name, args, kwargs))
2179
2109
return self._pipe.recv()[1]
2180
2110
2181
2111
return func
2182
2112
2183
2113
def __setattr__(self, name, value):
2184
2114
if name == '_pipe':
2185
2115
return super(ProxyClient, self).__setattr__(name, value)
2188
2118
2189
2119
class ClientHandler(socketserver.BaseRequestHandler, object):
2190
2120
"""A class to handle client connections.
2191
2121
2192
2122
Instantiated once for each connection to handle it.
2193
2123
Note: This will run in its own forked process."""
2194
2124
2195
2125
def handle(self):
2196
2126
with contextlib.closing(self.server.child_pipe) as child_pipe:
2197
2127
logger.info("TCP connection from: %s",
2198
2128
str(self.client_address))
2199
2129
logger.debug("Pipe FD: %d",
2200
2130
self.server.child_pipe.fileno())
2201
2131
2202
2132
session = gnutls.ClientSession(self.request)
2203
2204
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2205
# "+AES-256-CBC", "+SHA1",
2206
# "+COMP-NULL", "+CTYPE-OPENPGP",
2207
# "+DHE-DSS"))
2133
2134
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2135
# "+AES-256-CBC", "+SHA1",
2136
# "+COMP-NULL", "+CTYPE-OPENPGP",
2137
# "+DHE-DSS"))
2208
2138
# Use a fallback default, since this MUST be set.
2209
2139
priority = self.server.gnutls_priority
2210
2140
if priority is None:
2211
2141
priority = "NORMAL"
2212
gnutls.priority_set_direct(session._c_object,
2213
priority.encode("utf-8"),
2142
gnutls.priority_set_direct(session._c_object, priority,
2214
2143
None)
2215
2144
2216
2145
# Start communication using the Mandos protocol
2217
2146
# Get protocol number
2218
2147
line = self.request.makefile().readline()
2223
2152
except (ValueError, IndexError, RuntimeError) as error:
2224
2153
logger.error("Unknown protocol version: %s", error)
2225
2154
return
2226
2155
2227
2156
# Start GnuTLS connection
2228
2157
try:
2229
2158
session.handshake()
2233
2162
# established. Just abandon the request.
2234
2163
return
2235
2164
logger.debug("Handshake succeeded")
2236
2165
2237
2166
approval_required = False
2238
2167
try:
2239
2168
try:
2243
2172
logger.warning("Bad certificate: %s", error)
2244
2173
return
2245
2174
logger.debug("Fingerprint: %s", fpr)
2246
2175
2247
2176
try:
2248
2177
client = ProxyClient(child_pipe, fpr,
2249
2178
self.client_address)
2250
2179
except KeyError:
2251
2180
return
2252
2181
2253
2182
if client.approval_delay:
2254
2183
delay = client.approval_delay
2255
2184
client.approvals_pending += 1
2256
2185
approval_required = True
2257
2186
2258
2187
while True:
2259
2188
if not client.enabled:
2260
2189
logger.info("Client %s is disabled",
2263
2192
# Emit D-Bus signal
2264
2193
client.Rejected("Disabled")
2265
2194
return
2266
2195
2267
2196
if client.approved or not client.approval_delay:
2268
# We are approved or approval is disabled
2197
#We are approved or approval is disabled
2269
2198
break
2270
2199
elif client.approved is None:
2271
2200
logger.info("Client %s needs approval",
2282
2211
# Emit D-Bus signal
2283
2212
client.Rejected("Denied")
2284
2213
return
2285
2286
# wait until timeout or approved
2214
2215
#wait until timeout or approved
2287
2216
time = datetime.datetime.now()
2288
2217
client.changedstate.acquire()
2289
2218
client.changedstate.wait(delay.total_seconds())
2302
2231
break
2303
2232
else:
2304
2233
delay -= time2 - time
2305
2234
2306
2235
try:
2307
2236
session.send(client.secret)
2308
2237
except gnutls.Error as error:
2309
2238
logger.warning("gnutls send failed",
2310
exc_info=error)
2239
exc_info = error)
2311
2240
return
2312
2241
2313
2242
logger.info("Sending secret to %s", client.name)
2314
2243
# bump the timeout using extended_timeout
2315
2244
client.bump_timeout(client.extended_timeout)
2316
2245
if self.server.use_dbus:
2317
2246
# Emit D-Bus signal
2318
2247
client.GotSecret()
2319
2248
2320
2249
finally:
2321
2250
if approval_required:
2322
2251
client.approvals_pending -= 1
2325
2254
except gnutls.Error as error:
2326
2255
logger.warning("GnuTLS bye failed",
2327
2256
exc_info=error)
2328
2257
2329
2258
@staticmethod
2330
2259
def peer_certificate(session):
2331
2260
"Return the peer's OpenPGP certificate as a bytestring"
2343
2272
return None
2344
2273
cert = cert_list[0]
2345
2274
return ctypes.string_at(cert.data, cert.size)
2346
2275
2347
2276
@staticmethod
2348
2277
def fingerprint(openpgp):
2349
2278
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2382
2311
2383
2312
class MultiprocessingMixIn(object):
2384
2313
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2385
2314
2386
2315
def sub_process_main(self, request, address):
2387
2316
try:
2388
2317
self.finish_request(request, address)
2389
2318
except Exception:
2390
2319
self.handle_error(request, address)
2391
2320
self.close_request(request)
2392
2321
2393
2322
def process_request(self, request, address):
2394
2323
"""Start a new process to process the request."""
2395
proc = multiprocessing.Process(target=self.sub_process_main,
2396
args=(request, address))
2324
proc = multiprocessing.Process(target = self.sub_process_main,
2325
args = (request, address))
2397
2326
proc.start()
2398
2327
return proc
2399
2328
2400
2329
2401
2330
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2402
2331
""" adds a pipe to the MixIn """
2403
2332
2404
2333
def process_request(self, request, client_address):
2405
2334
"""Overrides and wraps the original process_request().
2406
2335
2407
2336
This function creates a new pipe in self.pipe
2408
2337
"""
2409
2338
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2410
2339
2411
2340
proc = MultiprocessingMixIn.process_request(self, request,
2412
2341
client_address)
2413
2342
self.child_pipe.close()
2414
2343
self.add_pipe(parent_pipe, proc)
2415
2344
2416
2345
def add_pipe(self, parent_pipe, proc):
2417
2346
"""Dummy function; override as necessary"""
2418
2347
raise NotImplementedError()
2421
2350
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2422
2351
socketserver.TCPServer, object):
2423
2352
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2424
2353
2425
2354
Attributes:
2426
2355
enabled: Boolean; whether this server is activated yet
2427
2356
interface: None or a network interface name (string)
2428
2357
use_ipv6: Boolean; to use IPv6 or not
2429
2358
"""
2430
2359
2431
2360
def __init__(self, server_address, RequestHandlerClass,
2432
2361
interface=None,
2433
2362
use_ipv6=True,
2443
2372
self.socketfd = socketfd
2444
2373
# Save the original socket.socket() function
2445
2374
self.socket_socket = socket.socket
2446
2447
2375
# To implement --socket, we monkey patch socket.socket.
2448
#
2376
#
2449
2377
# (When socketserver.TCPServer is a new-style class, we
2450
2378
# could make self.socket into a property instead of monkey
2451
2379
# patching socket.socket.)
2452
#
2380
#
2453
2381
# Create a one-time-only replacement for socket.socket()
2454
2382
@functools.wraps(socket.socket)
2455
2383
def socket_wrapper(*args, **kwargs):
2467
2395
# socket_wrapper(), if socketfd was set.
2468
2396
socketserver.TCPServer.__init__(self, server_address,
2469
2397
RequestHandlerClass)
2470
2398
2471
2399
def server_bind(self):
2472
2400
"""This overrides the normal server_bind() function
2473
2401
to bind to an interface if one was specified, and also NOT to
2474
2402
bind to an address or port if they were not specified."""
2475
global SO_BINDTODEVICE
2476
2403
if self.interface is not None:
2477
2404
if SO_BINDTODEVICE is None:
2478
# Fall back to a hard-coded value which seems to be
2479
# common enough.
2480
logger.warning("SO_BINDTODEVICE not found, trying 25")
2481
SO_BINDTODEVICE = 25
2482
try:
2483
self.socket.setsockopt(
2484
socket.SOL_SOCKET, SO_BINDTODEVICE,
2485
(self.interface + "\0").encode("utf-8"))
2486
except socket.error as error:
2487
if error.errno == errno.EPERM:
2488
logger.error("No permission to bind to"
2489
" interface %s", self.interface)
2490
elif error.errno == errno.ENOPROTOOPT:
2491
logger.error("SO_BINDTODEVICE not available;"
2492
" cannot bind to interface %s",
2493
self.interface)
2494
elif error.errno == errno.ENODEV:
2495
logger.error("Interface %s does not exist,"
2496
" cannot bind", self.interface)
2497
else:
2498
raise
2405
logger.error("SO_BINDTODEVICE does not exist;"
2406
" cannot bind to interface %s",
2407
self.interface)
2408
else:
2409
try:
2410
self.socket.setsockopt(
2411
socket.SOL_SOCKET, SO_BINDTODEVICE,
2412
(self.interface + "\0").encode("utf-8"))
2413
except socket.error as error:
2414
if error.errno == errno.EPERM:
2415
logger.error("No permission to bind to"
2416
" interface %s", self.interface)
2417
elif error.errno == errno.ENOPROTOOPT:
2418
logger.error("SO_BINDTODEVICE not available;"
2419
" cannot bind to interface %s",
2420
self.interface)
2421
elif error.errno == errno.ENODEV:
2422
logger.error("Interface %s does not exist,"
2423
" cannot bind", self.interface)
2424
else:
2425
raise
2499
2426
# Only bind(2) the socket if we really need to.
2500
2427
if self.server_address[0] or self.server_address[1]:
2501
2428
if not self.server_address[0]:
2502
2429
if self.address_family == socket.AF_INET6:
2503
any_address = "::" # in6addr_any
2430
any_address = "::" # in6addr_any
2504
2431
else:
2505
any_address = "0.0.0.0" # INADDR_ANY
2432
any_address = "0.0.0.0" # INADDR_ANY
2506
2433
self.server_address = (any_address,
2507
2434
self.server_address[1])
2508
2435
elif not self.server_address[1]:
2518
2445
2519
2446
class MandosServer(IPv6_TCPServer):
2520
2447
"""Mandos server.
2521
2448
2522
2449
Attributes:
2523
2450
clients: set of Client objects
2524
2451
gnutls_priority GnuTLS priority string
2525
2452
use_dbus: Boolean; to emit D-Bus signals or not
2526
2527
Assumes a GLib.MainLoop event loop.
2453
2454
Assumes a gobject.MainLoop event loop.
2528
2455
"""
2529
2456
2530
2457
def __init__(self, server_address, RequestHandlerClass,
2531
2458
interface=None,
2532
2459
use_ipv6=True,
2542
2469
self.gnutls_priority = gnutls_priority
2543
2470
IPv6_TCPServer.__init__(self, server_address,
2544
2471
RequestHandlerClass,
2545
interface=interface,
2546
use_ipv6=use_ipv6,
2547
socketfd=socketfd)
2548
2472
interface = interface,
2473
use_ipv6 = use_ipv6,
2474
socketfd = socketfd)
2475
2549
2476
def server_activate(self):
2550
2477
if self.enabled:
2551
2478
return socketserver.TCPServer.server_activate(self)
2552
2479
2553
2480
def enable(self):
2554
2481
self.enabled = True
2555
2482
2556
2483
def add_pipe(self, parent_pipe, proc):
2557
2484
# Call "handle_ipc" for both data and EOF events
2558
GLib.io_add_watch(
2485
gobject.io_add_watch(
2559
2486
parent_pipe.fileno(),
2560
GLib.IO_IN | GLib.IO_HUP,
2487
gobject.IO_IN | gobject.IO_HUP,
2561
2488
functools.partial(self.handle_ipc,
2562
parent_pipe=parent_pipe,
2563
proc=proc))
2564
2489
parent_pipe = parent_pipe,
2490
proc = proc))
2491
2565
2492
def handle_ipc(self, source, condition,
2566
2493
parent_pipe=None,
2567
proc=None,
2494
proc = None,
2568
2495
client_object=None):
2569
2496
# error, or the other end of multiprocessing.Pipe has closed
2570
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2497
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2571
2498
# Wait for other process to exit
2572
2499
proc.join()
2573
2500
return False
2574
2501
2575
2502
# Read a request from the child
2576
2503
request = parent_pipe.recv()
2577
2504
command = request[0]
2578
2505
2579
2506
if command == 'init':
2580
2507
fpr = request[1]
2581
2508
address = request[2]
2582
2583
for c in self.clients.values():
2509
2510
for c in self.clients.itervalues():
2584
2511
if c.fingerprint == fpr:
2585
2512
client = c
2586
2513
break
2593
2520
address[0])
2594
2521
parent_pipe.send(False)
2595
2522
return False
2596
2597
GLib.io_add_watch(
2523
2524
gobject.io_add_watch(
2598
2525
parent_pipe.fileno(),
2599
GLib.IO_IN | GLib.IO_HUP,
2526
gobject.IO_IN | gobject.IO_HUP,
2600
2527
functools.partial(self.handle_ipc,
2601
parent_pipe=parent_pipe,
2602
proc=proc,
2603
client_object=client))
2528
parent_pipe = parent_pipe,
2529
proc = proc,
2530
client_object = client))
2604
2531
parent_pipe.send(True)
2605
2532
# remove the old hook in favor of the new above hook on
2606
2533
# same fileno
2609
2536
funcname = request[1]
2610
2537
args = request[2]
2611
2538
kwargs = request[3]
2612
2539
2613
2540
parent_pipe.send(('data', getattr(client_object,
2614
2541
funcname)(*args,
2615
2542
**kwargs)))
2616
2543
2617
2544
if command == 'getattr':
2618
2545
attrname = request[1]
2619
2546
if isinstance(client_object.__getattribute__(attrname),
2622
2549
else:
2623
2550
parent_pipe.send((
2624
2551
'data', client_object.__getattribute__(attrname)))
2625
2552
2626
2553
if command == 'setattr':
2627
2554
attrname = request[1]
2628
2555
value = request[2]
2629
2556
setattr(client_object, attrname, value)
2630
2557
2631
2558
return True
2632
2559
2633
2560
2634
2561
def rfc3339_duration_to_delta(duration):
2635
2562
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2636
2563
2637
2564
>>> rfc3339_duration_to_delta("P7D")
2638
2565
datetime.timedelta(7)
2639
2566
>>> rfc3339_duration_to_delta("PT60S")
2649
2576
>>> rfc3339_duration_to_delta("P1DT3M20S")
2650
2577
datetime.timedelta(1, 200)
2651
2578
"""
2652
2579
2653
2580
# Parsing an RFC 3339 duration with regular expressions is not
2654
2581
# possible - there would have to be multiple places for the same
2655
2582
# values, like seconds. The current code, while more esoteric, is
2656
2583
# cleaner without depending on a parsing library. If Python had a
2657
2584
# built-in library for parsing we would use it, but we'd like to
2658
2585
# avoid excessive use of external libraries.
2659
2586
2660
2587
# New type for defining tokens, syntax, and semantics all-in-one
2661
2588
Token = collections.namedtuple("Token", (
2662
2589
"regexp", # To match token; if "value" is not None, must have
2695
2622
frozenset((token_year, token_month,
2696
2623
token_day, token_time,
2697
2624
token_week)))
2698
# Define starting values:
2699
# Value so far
2700
value = datetime.timedelta()
2625
# Define starting values
2626
value = datetime.timedelta() # Value so far
2701
2627
found_token = None
2702
# Following valid tokens
2703
followers = frozenset((token_duration, ))
2704
# String left to parse
2705
s = duration
2628
followers = frozenset((token_duration, )) # Following valid tokens
2629
s = duration # String left to parse
2706
2630
# Loop until end token is found
2707
2631
while found_token is not token_end:
2708
2632
# Search for any currently valid tokens
2732
2656
2733
2657
def string_to_delta(interval):
2734
2658
"""Parse a string and return a datetime.timedelta
2735
2659
2736
2660
>>> string_to_delta('7d')
2737
2661
datetime.timedelta(7)
2738
2662
>>> string_to_delta('60s')
2746
2670
>>> string_to_delta('5m 30s')
2747
2671
datetime.timedelta(0, 330)
2748
2672
"""
2749
2673
2750
2674
try:
2751
2675
return rfc3339_duration_to_delta(interval)
2752
2676
except ValueError:
2753
2677
pass
2754
2678
2755
2679
timevalue = datetime.timedelta(0)
2756
2680
for s in interval.split():
2757
2681
try:
2775
2699
return timevalue
2776
2700
2777
2701
2778
def daemon(nochdir=False, noclose=False):
2702
def daemon(nochdir = False, noclose = False):
2779
2703
"""See daemon(3). Standard BSD Unix function.
2780
2704
2781
2705
This should really exist as os.daemon, but it doesn't (yet)."""
2782
2706
if os.fork():
2783
2707
sys.exit()
2801
2725
2802
2726
2803
2727
def main():
2804
2728
2805
2729
##################################################################
2806
2730
# Parsing of options, both command line and config file
2807
2731
2808
2732
parser = argparse.ArgumentParser()
2809
2733
parser.add_argument("-v", "--version", action="version",
2810
version="%(prog)s {}".format(version),
2734
version = "%(prog)s {}".format(version),
2811
2735
help="show version number and exit")
2812
2736
parser.add_argument("-i", "--interface", metavar="IF",
2813
2737
help="Bind to interface IF")
2849
2773
parser.add_argument("--no-zeroconf", action="store_false",
2850
2774
dest="zeroconf", help="Do not use Zeroconf",
2851
2775
default=None)
2852
2776
2853
2777
options = parser.parse_args()
2854
2778
2855
2779
if options.check:
2856
2780
import doctest
2857
2781
fail_count, test_count = doctest.testmod()
2858
2782
sys.exit(os.EX_OK if fail_count == 0 else 1)
2859
2783
2860
2784
# Default values for config file for server-global settings
2861
server_defaults = {"interface": "",
2862
"address": "",
2863
"port": "",
2864
"debug": "False",
2865
"priority":
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
2868
"servicename": "Mandos",
2869
"use_dbus": "True",
2870
"use_ipv6": "True",
2871
"debuglevel": "",
2872
"restore": "True",
2873
"socket": "",
2874
"statedir": "/var/lib/mandos",
2875
"foreground": "False",
2876
"zeroconf": "True",
2877
}
2878
2785
server_defaults = { "interface": "",
2786
"address": "",
2787
"port": "",
2788
"debug": "False",
2789
"priority":
2790
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2791
":+SIGN-DSA-SHA256",
2792
"servicename": "Mandos",
2793
"use_dbus": "True",
2794
"use_ipv6": "True",
2795
"debuglevel": "",
2796
"restore": "True",
2797
"socket": "",
2798
"statedir": "/var/lib/mandos",
2799
"foreground": "False",
2800
"zeroconf": "True",
2801
}
2802
2879
2803
# Parse config file for server-global settings
2880
2804
server_config = configparser.SafeConfigParser(server_defaults)
2881
2805
del server_defaults
2899
2823
server_settings["socket"] = os.dup(server_settings
2900
2824
["socket"])
2901
2825
del server_config
2902
2826
2903
2827
# Override the settings from the config file with command line
2904
2828
# options, if set.
2905
2829
for option in ("interface", "address", "port", "debug",
2923
2847
if server_settings["debug"]:
2924
2848
server_settings["foreground"] = True
2925
2849
# Now we have our good server settings in "server_settings"
2926
2850
2927
2851
##################################################################
2928
2852
2929
2853
if (not server_settings["zeroconf"]
2930
2854
and not (server_settings["port"]
2931
2855
or server_settings["socket"] != "")):
2932
2856
parser.error("Needs port or socket to work without Zeroconf")
2933
2857
2934
2858
# For convenience
2935
2859
debug = server_settings["debug"]
2936
2860
debuglevel = server_settings["debuglevel"]
2940
2864
stored_state_file)
2941
2865
foreground = server_settings["foreground"]
2942
2866
zeroconf = server_settings["zeroconf"]
2943
2867
2944
2868
if debug:
2945
2869
initlogger(debug, logging.DEBUG)
2946
2870
else:
2949
2873
else:
2950
2874
level = getattr(logging, debuglevel.upper())
2951
2875
initlogger(debug, level)
2952
2876
2953
2877
if server_settings["servicename"] != "Mandos":
2954
2878
syslogger.setFormatter(
2955
2879
logging.Formatter('Mandos ({}) [%(process)d]:'
2956
2880
' %(levelname)s: %(message)s'.format(
2957
2881
server_settings["servicename"])))
2958
2882
2959
2883
# Parse config file with clients
2960
2884
client_config = configparser.SafeConfigParser(Client
2961
2885
.client_defaults)
2962
2886
client_config.read(os.path.join(server_settings["configdir"],
2963
2887
"clients.conf"))
2964
2888
2965
2889
global mandos_dbus_service
2966
2890
mandos_dbus_service = None
2967
2891
2968
2892
socketfd = None
2969
2893
if server_settings["socket"] != "":
2970
2894
socketfd = server_settings["socket"]
2986
2910
except IOError as e:
2987
2911
logger.error("Could not open file %r", pidfilename,
2988
2912
exc_info=e)
2989
2990
for name, group in (("_mandos", "_mandos"),
2991
("mandos", "mandos"),
2992
("nobody", "nogroup")):
2913
2914
for name in ("_mandos", "mandos", "nobody"):
2993
2915
try:
2994
2916
uid = pwd.getpwnam(name).pw_uid
2995
gid = pwd.getpwnam(group).pw_gid
2917
gid = pwd.getpwnam(name).pw_gid
2996
2918
break
2997
2919
except KeyError:
2998
2920
continue
3002
2924
try:
3003
2925
os.setgid(gid)
3004
2926
os.setuid(uid)
3005
if debug:
3006
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3007
gid))
3008
2927
except OSError as error:
3009
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3010
.format(uid, gid, os.strerror(error.errno)))
3011
2928
if error.errno != errno.EPERM:
3012
2929
raise
3013
2930
3014
2931
if debug:
3015
2932
# Enable all possible GnuTLS debugging
3016
2933
3017
2934
# "Use a log level over 10 to enable all debugging options."
3018
2935
# - GnuTLS manual
3019
2936
gnutls.global_set_log_level(11)
3020
2937
3021
2938
@gnutls.log_func
3022
2939
def debug_gnutls(level, string):
3023
2940
logger.debug("GnuTLS: %s", string[:-1])
3024
2941
3025
2942
gnutls.global_set_log_function(debug_gnutls)
3026
2943
3027
2944
# Redirect stdin so all checkers get /dev/null
3028
2945
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3029
2946
os.dup2(null, sys.stdin.fileno())
3030
2947
if null > 2:
3031
2948
os.close(null)
3032
2949
3033
2950
# Need to fork before connecting to D-Bus
3034
2951
if not foreground:
3035
2952
# Close all input and output, do double fork, etc.
3036
2953
daemon()
3037
3038
# multiprocessing will use threads, so before we use GLib we need
3039
# to inform GLib that threads will be used.
3040
GLib.threads_init()
3041
2954
2955
# multiprocessing will use threads, so before we use gobject we
2956
# need to inform gobject that threads will be used.
2957
gobject.threads_init()
2958
3042
2959
global main_loop
3043
2960
# From the Avahi example code
3044
2961
DBusGMainLoop(set_as_default=True)
3045
main_loop = GLib.MainLoop()
2962
main_loop = gobject.MainLoop()
3046
2963
bus = dbus.SystemBus()
3047
2964
# End of Avahi example code
3048
2965
if use_dbus:
3061
2978
if zeroconf:
3062
2979
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3063
2980
service = AvahiServiceToSyslog(
3064
name=server_settings["servicename"],
3065
servicetype="_mandos._tcp",
3066
protocol=protocol,
3067
bus=bus)
2981
name = server_settings["servicename"],
2982
servicetype = "_mandos._tcp",
2983
protocol = protocol,
2984
bus = bus)
3068
2985
if server_settings["interface"]:
3069
2986
service.interface = if_nametoindex(
3070
2987
server_settings["interface"].encode("utf-8"))
3071
2988
3072
2989
global multiprocessing_manager
3073
2990
multiprocessing_manager = multiprocessing.Manager()
3074
2991
3075
2992
client_class = Client
3076
2993
if use_dbus:
3077
client_class = functools.partial(ClientDBus, bus=bus)
3078
2994
client_class = functools.partial(ClientDBus, bus = bus)
2995
3079
2996
client_settings = Client.config_parser(client_config)
3080
2997
old_client_settings = {}
3081
2998
clients_data = {}
3082
2999
3083
3000
# This is used to redirect stdout and stderr for checker processes
3084
3001
global wnull
3085
wnull = open(os.devnull, "w") # A writable /dev/null
3002
wnull = open(os.devnull, "w") # A writable /dev/null
3086
3003
# Only used if server is running in foreground but not in debug
3087
3004
# mode
3088
3005
if debug or not foreground:
3089
3006
wnull.close()
3090
3007
3091
3008
# Get client data and settings from last running state.
3092
3009
if server_settings["restore"]:
3093
3010
try:
3094
3011
with open(stored_state_path, "rb") as stored_state:
3095
if sys.version_info.major == 2:
3096
clients_data, old_client_settings = pickle.load(
3097
stored_state)
3098
else:
3099
bytes_clients_data, bytes_old_client_settings = (
3100
pickle.load(stored_state, encoding="bytes"))
3101
# Fix bytes to strings
3102
# clients_data
3103
# .keys()
3104
clients_data = {(key.decode("utf-8")
3105
if isinstance(key, bytes)
3106
else key): value
3107
for key, value in
3108
bytes_clients_data.items()}
3109
del bytes_clients_data
3110
for key in clients_data:
3111
value = {(k.decode("utf-8")
3112
if isinstance(k, bytes) else k): v
3113
for k, v in
3114
clients_data[key].items()}
3115
clients_data[key] = value
3116
# .client_structure
3117
value["client_structure"] = [
3118
(s.decode("utf-8")
3119
if isinstance(s, bytes)
3120
else s) for s in
3121
value["client_structure"]]
3122
# .name & .host
3123
for k in ("name", "host"):
3124
if isinstance(value[k], bytes):
3125
value[k] = value[k].decode("utf-8")
3126
# old_client_settings
3127
# .keys()
3128
old_client_settings = {
3129
(key.decode("utf-8")
3130
if isinstance(key, bytes)
3131
else key): value
3132
for key, value in
3133
bytes_old_client_settings.items()}
3134
del bytes_old_client_settings
3135
# .host
3136
for value in old_client_settings.values():
3137
if isinstance(value["host"], bytes):
3138
value["host"] = (value["host"]
3139
.decode("utf-8"))
3012
clients_data, old_client_settings = pickle.load(
3013
stored_state)
3140
3014
os.remove(stored_state_path)
3141
3015
except IOError as e:
3142
3016
if e.errno == errno.ENOENT:
3150
3024
logger.warning("Could not load persistent state: "
3151
3025
"EOFError:",
3152
3026
exc_info=e)
3153
3027
3154
3028
with PGPEngine() as pgp:
3155
3029
for client_name, client in clients_data.items():
3156
3030
# Skip removed clients
3157
3031
if client_name not in client_settings:
3158
3032
continue
3159
3033
3160
3034
# Decide which value to use after restoring saved state.
3161
3035
# We have three different values: Old config file,
3162
3036
# new config file, and saved state.
3173
3047
client[name] = value
3174
3048
except KeyError:
3175
3049
pass
3176
3050
3177
3051
# Clients who has passed its expire date can still be
3178
3052
# enabled if its last checker was successful. A Client
3179
3053
# whose checker succeeded before we stored its state is
3212
3086
client_name))
3213
3087
client["secret"] = (client_settings[client_name]
3214
3088
["secret"])
3215
3089
3216
3090
# Add/remove clients based on new changes made to config
3217
3091
for client_name in (set(old_client_settings)
3218
3092
- set(client_settings)):
3220
3094
for client_name in (set(client_settings)
3221
3095
- set(old_client_settings)):
3222
3096
clients_data[client_name] = client_settings[client_name]
3223
3097
3224
3098
# Create all client objects
3225
3099
for client_name, client in clients_data.items():
3226
3100
tcp_server.clients[client_name] = client_class(
3227
name=client_name,
3228
settings=client,
3229
server_settings=server_settings)
3230
3101
name = client_name,
3102
settings = client,
3103
server_settings = server_settings)
3104
3231
3105
if not tcp_server.clients:
3232
3106
logger.warning("No clients defined")
3233
3107
3234
3108
if not foreground:
3235
3109
if pidfile is not None:
3236
3110
pid = os.getpid()
3242
3116
pidfilename, pid)
3243
3117
del pidfile
3244
3118
del pidfilename
3245
3246
for termsig in (signal.SIGHUP, signal.SIGTERM):
3247
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3248
lambda: main_loop.quit() and False)
3249
3119
3120
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
3121
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
3122
3250
3123
if use_dbus:
3251
3124
3252
3125
@alternate_dbus_interfaces(
3253
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3126
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3254
3127
class MandosDBusService(DBusObjectWithObjectManager):
3255
3128
"""A D-Bus proxy object"""
3256
3129
3257
3130
def __init__(self):
3258
3131
dbus.service.Object.__init__(self, bus, "/")
3259
3132
3260
3133
_interface = "se.recompile.Mandos"
3261
3134
3262
3135
@dbus.service.signal(_interface, signature="o")
3263
3136
def ClientAdded(self, objpath):
3264
3137
"D-Bus signal"
3265
3138
pass
3266
3139
3267
3140
@dbus.service.signal(_interface, signature="ss")
3268
3141
def ClientNotFound(self, fingerprint, address):
3269
3142
"D-Bus signal"
3270
3143
pass
3271
3144
3272
3145
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3273
3146
"true"})
3274
3147
@dbus.service.signal(_interface, signature="os")
3275
3148
def ClientRemoved(self, objpath, name):
3276
3149
"D-Bus signal"
3277
3150
pass
3278
3151
3279
3152
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3280
3153
"true"})
3281
3154
@dbus.service.method(_interface, out_signature="ao")
3282
3155
def GetAllClients(self):
3283
3156
"D-Bus method"
3284
3157
return dbus.Array(c.dbus_object_path for c in
3285
tcp_server.clients.values())
3286
3158
tcp_server.clients.itervalues())
3159
3287
3160
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3288
3161
"true"})
3289
3162
@dbus.service.method(_interface,
3291
3164
def GetAllClientsWithProperties(self):
3292
3165
"D-Bus method"
3293
3166
return dbus.Dictionary(
3294
{c.dbus_object_path: c.GetAll(
3167
{ c.dbus_object_path: c.GetAll(
3295
3168
"se.recompile.Mandos.Client")
3296
for c in tcp_server.clients.values()},
3169
for c in tcp_server.clients.itervalues() },
3297
3170
signature="oa{sv}")
3298
3171
3299
3172
@dbus.service.method(_interface, in_signature="o")
3300
3173
def RemoveClient(self, object_path):
3301
3174
"D-Bus method"
3302
for c in tcp_server.clients.values():
3175
for c in tcp_server.clients.itervalues():
3303
3176
if c.dbus_object_path == object_path:
3304
3177
del tcp_server.clients[c.name]
3305
3178
c.remove_from_connection()
3309
3182
self.client_removed_signal(c)
3310
3183
return
3311
3184
raise KeyError(object_path)
3312
3185
3313
3186
del _interface
3314
3187
3315
3188
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3316
out_signature="a{oa{sa{sv}}}")
3189
out_signature = "a{oa{sa{sv}}}")
3317
3190
def GetManagedObjects(self):
3318
3191
"""D-Bus method"""
3319
3192
return dbus.Dictionary(
3320
{client.dbus_object_path:
3321
dbus.Dictionary(
3322
{interface: client.GetAll(interface)
3323
for interface in
3324
client._get_all_interface_names()})
3325
for client in tcp_server.clients.values()})
3326
3193
{ client.dbus_object_path:
3194
dbus.Dictionary(
3195
{ interface: client.GetAll(interface)
3196
for interface in
3197
client._get_all_interface_names()})
3198
for client in tcp_server.clients.values()})
3199
3327
3200
def client_added_signal(self, client):
3328
3201
"""Send the new standard signal and the old signal"""
3329
3202
if use_dbus:
3331
3204
self.InterfacesAdded(
3332
3205
client.dbus_object_path,
3333
3206
dbus.Dictionary(
3334
{interface: client.GetAll(interface)
3335
for interface in
3336
client._get_all_interface_names()}))
3207
{ interface: client.GetAll(interface)
3208
for interface in
3209
client._get_all_interface_names()}))
3337
3210
# Old signal
3338
3211
self.ClientAdded(client.dbus_object_path)
3339
3212
3340
3213
def client_removed_signal(self, client):
3341
3214
"""Send the new standard signal and the old signal"""
3342
3215
if use_dbus:
3347
3220
# Old signal
3348
3221
self.ClientRemoved(client.dbus_object_path,
3349
3222
client.name)
3350
3223
3351
3224
mandos_dbus_service = MandosDBusService()
3352
3353
# Save modules to variables to exempt the modules from being
3354
# unloaded before the function registered with atexit() is run.
3355
mp = multiprocessing
3356
wn = wnull
3357
3225
3358
3226
def cleanup():
3359
3227
"Cleanup function; run on exit"
3360
3228
if zeroconf:
3361
3229
service.cleanup()
3362
3363
mp.active_children()
3364
wn.close()
3230
3231
multiprocessing.active_children()
3232
wnull.close()
3365
3233
if not (tcp_server.clients or client_settings):
3366
3234
return
3367
3235
3368
3236
# Store client before exiting. Secrets are encrypted with key
3369
3237
# based on what config file has. If config file is
3370
3238
# removed/edited, old secret will thus be unrecovable.
3371
3239
clients = {}
3372
3240
with PGPEngine() as pgp:
3373
for client in tcp_server.clients.values():
3241
for client in tcp_server.clients.itervalues():
3374
3242
key = client_settings[client.name]["secret"]
3375
3243
client.encrypted_secret = pgp.encrypt(client.secret,
3376
3244
key)
3377
3245
client_dict = {}
3378
3246
3379
3247
# A list of attributes that can not be pickled
3380
3248
# + secret.
3381
exclude = {"bus", "changedstate", "secret",
3382
"checker", "server_settings"}
3249
exclude = { "bus", "changedstate", "secret",
3250
"checker", "server_settings" }
3383
3251
for name, typ in inspect.getmembers(dbus.service
3384
3252
.Object):
3385
3253
exclude.add(name)
3386
3254
3387
3255
client_dict["encrypted_secret"] = (client
3388
3256
.encrypted_secret)
3389
3257
for attr in client.client_structure:
3390
3258
if attr not in exclude:
3391
3259
client_dict[attr] = getattr(client, attr)
3392
3260
3393
3261
clients[client.name] = client_dict
3394
3262
del client_settings[client.name]["secret"]
3395
3263
3396
3264
try:
3397
3265
with tempfile.NamedTemporaryFile(
3398
3266
mode='wb',
3400
3268
prefix='clients-',
3401
3269
dir=os.path.dirname(stored_state_path),
3402
3270
delete=False) as stored_state:
3403
pickle.dump((clients, client_settings), stored_state,
3404
protocol=2)
3271
pickle.dump((clients, client_settings), stored_state)
3405
3272
tempname = stored_state.name
3406
3273
os.rename(tempname, stored_state_path)
3407
3274
except (IOError, OSError) as e:
3417
3284
logger.warning("Could not save persistent state:",
3418
3285
exc_info=e)
3419
3286
raise
3420
3287
3421
3288
# Delete all clients, and settings from config
3422
3289
while tcp_server.clients:
3423
3290
name, client = tcp_server.clients.popitem()
3429
3296
if use_dbus:
3430
3297
mandos_dbus_service.client_removed_signal(client)
3431
3298
client_settings.clear()
3432
3299
3433
3300
atexit.register(cleanup)
3434
3435
for client in tcp_server.clients.values():
3301
3302
for client in tcp_server.clients.itervalues():
3436
3303
if use_dbus:
3437
3304
# Emit D-Bus signal for adding
3438
3305
mandos_dbus_service.client_added_signal(client)
3439
3306
# Need to initiate checking of clients
3440
3307
if client.enabled:
3441
3308
client.init_checker()
3442
3309
3443
3310
tcp_server.enable()
3444
3311
tcp_server.server_activate()
3445
3312
3446
3313
# Find out what port we got
3447
3314
if zeroconf:
3448
3315
service.port = tcp_server.socket.getsockname()[1]
3453
3320
else: # IPv4
3454
3321
logger.info("Now listening on address %r, port %d",
3455
3322
*tcp_server.socket.getsockname())
3456
3457
# service.interface = tcp_server.socket.getsockname()[3]
3458
3323
3324
#service.interface = tcp_server.socket.getsockname()[3]
3325
3459
3326
try:
3460
3327
if zeroconf:
3461
3328
# From the Avahi example code
3466
3333
cleanup()
3467
3334
sys.exit(1)
3468
3335
# End of Avahi example code
3469
3470
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3471
lambda *args, **kwargs:
3472
(tcp_server.handle_request
3473
(*args[2:], **kwargs) or True))
3474
3336
3337
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3338
lambda *args, **kwargs:
3339
(tcp_server.handle_request
3340
(*args[2:], **kwargs) or True))
3341
3475
3342
logger.debug("Starting main loop")
3476
3343
main_loop.run()
3477
3344
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0