To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 819
- compare with another revision
- download diff
- download tarball
- view history from revision 819
- Committer: Teddy Hogeborn
- Date: 2016-03-05 20:11:10 UTC
- Revision ID: teddy@recompile.se-20160305201110-6f7nws77k1h96e8k
errno is of type int, not error_t
* plugins.d/mandos-client.c (raise_privileges,
raise_privileges_permanently, lower_privileges,
lower_privileges_permanently, bring_up_interface,
take_down_interface, ): Change return type and all errno-containing
variables to type "int".
(get_flags): Change all errno-containing variables to type "int".
(main): Change all errno-containing variables to type "int", except
for values which are explicitly of type error_t.
* plugins.d/mandos-client.c (raise_privileges,
raise_privileges_permanently, lower_privileges,
lower_privileges_permanently, bring_up_interface,
take_down_interface, ): Change return type and all errno-containing
variables to type "int".
(get_flags): Change all errno-containing variables to type "int".
(main): Change all errno-containing variables to type "int", except
for values which are explicitly of type error_t.
- files added:
- initramfs-tools-hook-conf
- files removed:
- bugs.xml
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
37
36
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
37
from future_builtins import *
42
38
43
39
try:
44
40
import SocketServer as socketserver
77
73
import itertools
78
74
import collections
79
75
import codecs
80
import unittest
81
import random
82
import shlex
83
76
84
77
import dbus
85
78
import dbus.service
86
import gi
87
from gi.repository import GLib
79
try:
80
import gobject
81
except ImportError:
82
from gi.repository import GObject as gobject
83
import avahi
88
84
from dbus.mainloop.glib import DBusGMainLoop
89
85
import ctypes
90
86
import ctypes.util
91
87
import xml.dom.minidom
92
88
import inspect
93
89
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
90
try:
122
91
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
123
92
except AttributeError:
124
93
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
127
94
from IN import SO_BINDTODEVICE
128
95
except ImportError:
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.14"
96
SO_BINDTODEVICE = None
97
98
if sys.version_info.major == 2:
99
str = unicode
100
101
version = "1.7.3"
147
102
stored_state_file = "clients.pickle"
148
103
149
104
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
151
105
syslogger = None
152
106
153
107
try:
154
108
if_nametoindex = ctypes.cdll.LoadLibrary(
155
109
ctypes.util.find_library("c")).if_nametoindex
156
110
except (OSError, AttributeError):
157
111
158
112
def if_nametoindex(interface):
159
113
"Get an interface index the hard way, i.e. using fcntl()"
160
114
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
165
119
return interface_index
166
120
167
121
168
def copy_function(func):
169
"""Make a copy of a function"""
170
if sys.version_info.major == 2:
171
return types.FunctionType(func.func_code,
172
func.func_globals,
173
func.func_name,
174
func.func_defaults,
175
func.func_closure)
176
else:
177
return types.FunctionType(func.__code__,
178
func.__globals__,
179
func.__name__,
180
func.__defaults__,
181
func.__closure__)
182
183
184
122
def initlogger(debug, level=logging.WARNING):
185
123
"""init logger and add loglevel"""
186
124
187
125
global syslogger
188
126
syslogger = (logging.handlers.SysLogHandler(
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
127
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
128
address = "/dev/log"))
191
129
syslogger.setFormatter(logging.Formatter
192
130
('Mandos [%(process)d]: %(levelname)s:'
193
131
' %(message)s'))
194
132
logger.addHandler(syslogger)
195
133
196
134
if debug:
197
135
console = logging.StreamHandler()
198
136
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
208
146
pass
209
147
210
148
211
class PGPEngine:
149
class PGPEngine(object):
212
150
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
151
214
152
def __init__(self):
215
153
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
154
self.gpg = "gpg"
217
155
try:
218
156
output = subprocess.check_output(["gpgconf"])
219
157
for line in output.splitlines():
220
name, text, path = line.split(b":")
221
if name == b"gpg":
158
name, text, path = line.split(":")
159
if name == "gpg":
222
160
self.gpg = path
223
161
break
224
162
except OSError as e:
227
165
self.gnupgargs = ['--batch',
228
166
'--homedir', self.tempdir,
229
167
'--force-mdc',
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
168
'--quiet',
169
'--no-use-agent']
170
235
171
def __enter__(self):
236
172
return self
237
173
238
174
def __exit__(self, exc_type, exc_value, traceback):
239
175
self._cleanup()
240
176
return False
241
177
242
178
def __del__(self):
243
179
self._cleanup()
244
180
245
181
def _cleanup(self):
246
182
if self.tempdir is not None:
247
183
# Delete contents of tempdir
248
184
for root, dirs, files in os.walk(self.tempdir,
249
topdown=False):
185
topdown = False):
250
186
for filename in files:
251
187
os.remove(os.path.join(root, filename))
252
188
for dirname in dirs:
254
190
# Remove tempdir
255
191
os.rmdir(self.tempdir)
256
192
self.tempdir = None
257
193
258
194
def password_encode(self, password):
259
195
# Passphrase can not be empty and can not contain newlines or
260
196
# NUL bytes. So we prefix it and hex encode it.
265
201
.replace(b"\n", b"\\n")
266
202
.replace(b"\0", b"\\x00"))
267
203
return encoded
268
204
269
205
def encrypt(self, data, password):
270
206
passphrase = self.password_encode(password)
271
207
with tempfile.NamedTemporaryFile(
276
212
'--passphrase-file',
277
213
passfile.name]
278
214
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
215
stdin = subprocess.PIPE,
216
stdout = subprocess.PIPE,
217
stderr = subprocess.PIPE)
218
ciphertext, err = proc.communicate(input = data)
283
219
if proc.returncode != 0:
284
220
raise PGPError(err)
285
221
return ciphertext
286
222
287
223
def decrypt(self, data, password):
288
224
passphrase = self.password_encode(password)
289
225
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
226
dir = self.tempdir) as passfile:
291
227
passfile.write(passphrase)
292
228
passfile.flush()
293
229
proc = subprocess.Popen([self.gpg, '--decrypt',
294
230
'--passphrase-file',
295
231
passfile.name]
296
232
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
233
stdin = subprocess.PIPE,
234
stdout = subprocess.PIPE,
235
stderr = subprocess.PIPE)
236
decrypted_plaintext, err = proc.communicate(input = data)
301
237
if proc.returncode != 0:
302
238
raise PGPError(err)
303
239
return decrypted_plaintext
304
240
305
241
306
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
313
DBUS_NAME = "org.freedesktop.Avahi"
314
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
320
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
331
332
242
class AvahiError(Exception):
333
243
def __init__(self, value, *args, **kwargs):
334
244
self.value = value
344
254
pass
345
255
346
256
347
class AvahiService:
257
class AvahiService(object):
348
258
"""An Avahi (Zeroconf) service.
349
259
350
260
Attributes:
351
261
interface: integer; avahi.IF_UNSPEC or an interface index.
352
262
Used to optionally bind to the specified interface.
364
274
server: D-Bus Server
365
275
bus: dbus.SystemBus()
366
276
"""
367
277
368
278
def __init__(self,
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
279
interface = avahi.IF_UNSPEC,
280
name = None,
281
servicetype = None,
282
port = None,
283
TXT = None,
284
domain = "",
285
host = "",
286
max_renames = 32768,
287
protocol = avahi.PROTO_UNSPEC,
288
bus = None):
379
289
self.interface = interface
380
290
self.name = name
381
291
self.type = servicetype
390
300
self.server = None
391
301
self.bus = bus
392
302
self.entry_group_state_changed_match = None
393
303
394
304
def rename(self, remove=True):
395
305
"""Derived from the Avahi example code"""
396
306
if self.rename_count >= self.max_renames:
416
326
logger.critical("D-Bus Exception", exc_info=error)
417
327
self.cleanup()
418
328
os._exit(1)
419
329
420
330
def remove(self):
421
331
"""Derived from the Avahi example code"""
422
332
if self.entry_group_state_changed_match is not None:
424
334
self.entry_group_state_changed_match = None
425
335
if self.group is not None:
426
336
self.group.Reset()
427
337
428
338
def add(self):
429
339
"""Derived from the Avahi example code"""
430
340
self.remove()
447
357
dbus.UInt16(self.port),
448
358
avahi.string_array_to_txt_array(self.TXT))
449
359
self.group.Commit()
450
360
451
361
def entry_group_state_changed(self, state, error):
452
362
"""Derived from the Avahi example code"""
453
363
logger.debug("Avahi entry group state change: %i", state)
454
364
455
365
if state == avahi.ENTRY_GROUP_ESTABLISHED:
456
366
logger.debug("Zeroconf service established.")
457
367
elif state == avahi.ENTRY_GROUP_COLLISION:
461
371
logger.critical("Avahi: Error in group state changed %s",
462
372
str(error))
463
373
raise AvahiGroupError("State changed: {!s}".format(error))
464
374
465
375
def cleanup(self):
466
376
"""Derived from the Avahi example code"""
467
377
if self.group is not None:
472
382
pass
473
383
self.group = None
474
384
self.remove()
475
385
476
386
def server_state_changed(self, state, error=None):
477
387
"""Derived from the Avahi example code"""
478
388
logger.debug("Avahi server state change: %i", state)
507
417
logger.debug("Unknown state: %r", state)
508
418
else:
509
419
logger.debug("Unknown state: %r: %r", state, error)
510
420
511
421
def activate(self):
512
422
"""Derived from the Avahi example code"""
513
423
if self.server is None:
524
434
class AvahiServiceToSyslog(AvahiService):
525
435
def rename(self, *args, **kwargs):
526
436
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args,
528
**kwargs)
437
ret = AvahiService.rename(self, *args, **kwargs)
529
438
syslogger.setFormatter(logging.Formatter(
530
439
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
531
440
.format(self.name)))
532
441
return ret
533
442
534
535
443
# Pretend that we have a GnuTLS module
536
class gnutls:
537
"""This isn't so much a class as it is a module-like namespace."""
538
539
library = ctypes.util.find_library("gnutls")
540
if library is None:
541
library = ctypes.util.find_library("gnutls-deb0")
542
_library = ctypes.cdll.LoadLibrary(library)
543
del library
544
444
class GnuTLS(object):
445
"""This isn't so much a class as it is a module-like namespace.
446
It is instantiated once, and simulates having a GnuTLS module."""
447
448
_library = ctypes.cdll.LoadLibrary(
449
ctypes.util.find_library("gnutls"))
450
_need_version = "3.3.0"
451
def __init__(self):
452
# Need to use class name "GnuTLS" here, since this method is
453
# called before the assignment to the "gnutls" global variable
454
# happens.
455
if GnuTLS.check_version(self._need_version) is None:
456
raise GnuTLS.Error("Needs GnuTLS {} or later"
457
.format(self._need_version))
458
545
459
# Unless otherwise indicated, the constants and types below are
546
460
# all from the gnutls/gnutls.h C header file.
547
461
548
462
# Constants
549
463
E_SUCCESS = 0
550
464
E_INTERRUPTED = -52
551
465
E_AGAIN = -28
552
466
CRT_OPENPGP = 2
553
CRT_RAWPK = 3
554
467
CLIENT = 2
555
468
SHUT_RDWR = 0
556
469
CRD_CERTIFICATE = 1
557
470
E_NO_CERTIFICATE_FOUND = -49
558
X509_FMT_DER = 0
559
NO_TICKETS = 1<<10
560
ENABLE_RAWPK = 1<<18
561
CTYPE_PEERS = 3
562
KEYID_USE_SHA256 = 1 # gnutls/x509.h
563
471
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
564
472
565
473
# Types
566
class _session_int(ctypes.Structure):
474
class session_int(ctypes.Structure):
567
475
_fields_ = []
568
session_t = ctypes.POINTER(_session_int)
569
476
session_t = ctypes.POINTER(session_int)
570
477
class certificate_credentials_st(ctypes.Structure):
571
478
_fields_ = []
572
479
certificate_credentials_t = ctypes.POINTER(
573
480
certificate_credentials_st)
574
481
certificate_type_t = ctypes.c_int
575
576
482
class datum_t(ctypes.Structure):
577
483
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
578
484
('size', ctypes.c_uint)]
579
580
class _openpgp_crt_int(ctypes.Structure):
485
class openpgp_crt_int(ctypes.Structure):
581
486
_fields_ = []
582
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
583
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
487
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
488
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
584
489
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
585
credentials_type_t = ctypes.c_int
490
credentials_type_t = ctypes.c_int #
586
491
transport_ptr_t = ctypes.c_void_p
587
492
close_request_t = ctypes.c_int
588
493
589
494
# Exceptions
590
495
class Error(Exception):
591
def __init__(self, message=None, code=None, args=()):
496
# We need to use the class name "GnuTLS" here, since this
497
# exception might be raised from within GnuTLS.__init__,
498
# which is called before the assignment to the "gnutls"
499
# global variable has happened.
500
def __init__(self, message = None, code = None, args=()):
592
501
# Default usage is by a message string, but if a return
593
502
# code is passed, convert it to a string with
594
503
# gnutls.strerror()
595
504
self.code = code
596
505
if message is None and code is not None:
597
message = gnutls.strerror(code).decode(
598
"utf-8", errors="replace")
599
return super(gnutls.Error, self).__init__(
506
message = GnuTLS.strerror(code)
507
return super(GnuTLS.Error, self).__init__(
600
508
message, *args)
601
509
602
510
class CertificateSecurityError(Error):
603
511
pass
604
605
class PointerTo:
606
def __init__(self, cls):
607
self.cls = cls
608
609
def from_param(self, obj):
610
if not isinstance(obj, self.cls):
611
raise TypeError("Not of type {}: {!r}"
612
.format(self.cls.__name__, obj))
613
return ctypes.byref(obj.from_param(obj))
614
615
class CastToVoidPointer:
616
def __init__(self, cls):
617
self.cls = cls
618
619
def from_param(self, obj):
620
if not isinstance(obj, self.cls):
621
raise TypeError("Not of type {}: {!r}"
622
.format(self.cls.__name__, obj))
623
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
624
625
class With_from_param:
626
@classmethod
627
def from_param(cls, obj):
628
return obj._as_parameter_
629
512
630
513
# Classes
631
class Credentials(With_from_param):
514
class Credentials(object):
632
515
def __init__(self):
633
self._as_parameter_ = gnutls.certificate_credentials_t()
634
gnutls.certificate_allocate_credentials(self)
516
self._c_object = gnutls.certificate_credentials_t()
517
gnutls.certificate_allocate_credentials(
518
ctypes.byref(self._c_object))
635
519
self.type = gnutls.CRD_CERTIFICATE
636
520
637
521
def __del__(self):
638
gnutls.certificate_free_credentials(self)
639
640
class ClientSession(With_from_param):
641
def __init__(self, socket, credentials=None):
642
self._as_parameter_ = gnutls.session_t()
643
gnutls_flags = gnutls.CLIENT
644
if gnutls.check_version(b"3.5.6"):
645
gnutls_flags |= gnutls.NO_TICKETS
646
if gnutls.has_rawpk:
647
gnutls_flags |= gnutls.ENABLE_RAWPK
648
gnutls.init(self, gnutls_flags)
649
del gnutls_flags
650
gnutls.set_default_priority(self)
651
gnutls.transport_set_ptr(self, socket.fileno())
652
gnutls.handshake_set_private_extensions(self, True)
522
gnutls.certificate_free_credentials(self._c_object)
523
524
class ClientSession(object):
525
def __init__(self, socket, credentials = None):
526
self._c_object = gnutls.session_t()
527
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
528
gnutls.set_default_priority(self._c_object)
529
gnutls.transport_set_ptr(self._c_object, socket.fileno())
530
gnutls.handshake_set_private_extensions(self._c_object,
531
True)
653
532
self.socket = socket
654
533
if credentials is None:
655
534
credentials = gnutls.Credentials()
656
gnutls.credentials_set(self, credentials.type,
657
credentials)
535
gnutls.credentials_set(self._c_object, credentials.type,
536
ctypes.cast(credentials._c_object,
537
ctypes.c_void_p))
658
538
self.credentials = credentials
659
539
660
540
def __del__(self):
661
gnutls.deinit(self)
662
541
gnutls.deinit(self._c_object)
542
663
543
def handshake(self):
664
return gnutls.handshake(self)
665
544
return gnutls.handshake(self._c_object)
545
666
546
def send(self, data):
667
547
data = bytes(data)
668
548
data_len = len(data)
669
549
while data_len > 0:
670
data_len -= gnutls.record_send(self, data[-data_len:],
550
data_len -= gnutls.record_send(self._c_object,
551
data[-data_len:],
671
552
data_len)
672
553
673
554
def bye(self):
674
return gnutls.bye(self, gnutls.SHUT_RDWR)
675
555
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
556
676
557
# Error handling functions
677
558
def _error_code(result):
678
559
"""A function to raise exceptions on errors, suitable
679
560
for the 'restype' attribute on ctypes functions"""
680
if result >= gnutls.E_SUCCESS:
561
if result >= 0:
681
562
return result
682
563
if result == gnutls.E_NO_CERTIFICATE_FOUND:
683
raise gnutls.CertificateSecurityError(code=result)
684
raise gnutls.Error(code=result)
685
686
def _retry_on_error(result, func, arguments,
687
_error_code=_error_code):
564
raise gnutls.CertificateSecurityError(code = result)
565
raise gnutls.Error(code = result)
566
567
def _retry_on_error(result, func, arguments):
688
568
"""A function to retry on some errors, suitable
689
569
for the 'errcheck' attribute on ctypes functions"""
690
while result < gnutls.E_SUCCESS:
570
while result < 0:
691
571
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
692
572
return _error_code(result)
693
573
result = func(*arguments)
694
574
return result
695
575
696
576
# Unless otherwise indicated, the function declarations below are
697
577
# all from the gnutls/gnutls.h C header file.
698
578
699
579
# Functions
700
580
priority_set_direct = _library.gnutls_priority_set_direct
701
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
581
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
702
582
ctypes.POINTER(ctypes.c_char_p)]
703
583
priority_set_direct.restype = _error_code
704
584
705
585
init = _library.gnutls_init
706
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
586
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
707
587
init.restype = _error_code
708
588
709
589
set_default_priority = _library.gnutls_set_default_priority
710
set_default_priority.argtypes = [ClientSession]
590
set_default_priority.argtypes = [session_t]
711
591
set_default_priority.restype = _error_code
712
592
713
593
record_send = _library.gnutls_record_send
714
record_send.argtypes = [ClientSession, ctypes.c_void_p,
594
record_send.argtypes = [session_t, ctypes.c_void_p,
715
595
ctypes.c_size_t]
716
596
record_send.restype = ctypes.c_ssize_t
717
597
record_send.errcheck = _retry_on_error
718
598
719
599
certificate_allocate_credentials = (
720
600
_library.gnutls_certificate_allocate_credentials)
721
601
certificate_allocate_credentials.argtypes = [
722
PointerTo(Credentials)]
602
ctypes.POINTER(certificate_credentials_t)]
723
603
certificate_allocate_credentials.restype = _error_code
724
604
725
605
certificate_free_credentials = (
726
606
_library.gnutls_certificate_free_credentials)
727
certificate_free_credentials.argtypes = [Credentials]
607
certificate_free_credentials.argtypes = [certificate_credentials_t]
728
608
certificate_free_credentials.restype = None
729
609
730
610
handshake_set_private_extensions = (
731
611
_library.gnutls_handshake_set_private_extensions)
732
handshake_set_private_extensions.argtypes = [ClientSession,
612
handshake_set_private_extensions.argtypes = [session_t,
733
613
ctypes.c_int]
734
614
handshake_set_private_extensions.restype = None
735
615
736
616
credentials_set = _library.gnutls_credentials_set
737
credentials_set.argtypes = [ClientSession, credentials_type_t,
738
CastToVoidPointer(Credentials)]
617
credentials_set.argtypes = [session_t, credentials_type_t,
618
ctypes.c_void_p]
739
619
credentials_set.restype = _error_code
740
620
741
621
strerror = _library.gnutls_strerror
742
622
strerror.argtypes = [ctypes.c_int]
743
623
strerror.restype = ctypes.c_char_p
744
624
745
625
certificate_type_get = _library.gnutls_certificate_type_get
746
certificate_type_get.argtypes = [ClientSession]
626
certificate_type_get.argtypes = [session_t]
747
627
certificate_type_get.restype = _error_code
748
628
749
629
certificate_get_peers = _library.gnutls_certificate_get_peers
750
certificate_get_peers.argtypes = [ClientSession,
630
certificate_get_peers.argtypes = [session_t,
751
631
ctypes.POINTER(ctypes.c_uint)]
752
632
certificate_get_peers.restype = ctypes.POINTER(datum_t)
753
633
754
634
global_set_log_level = _library.gnutls_global_set_log_level
755
635
global_set_log_level.argtypes = [ctypes.c_int]
756
636
global_set_log_level.restype = None
757
637
758
638
global_set_log_function = _library.gnutls_global_set_log_function
759
639
global_set_log_function.argtypes = [log_func]
760
640
global_set_log_function.restype = None
761
641
762
642
deinit = _library.gnutls_deinit
763
deinit.argtypes = [ClientSession]
643
deinit.argtypes = [session_t]
764
644
deinit.restype = None
765
645
766
646
handshake = _library.gnutls_handshake
767
handshake.argtypes = [ClientSession]
768
handshake.restype = ctypes.c_int
647
handshake.argtypes = [session_t]
648
handshake.restype = _error_code
769
649
handshake.errcheck = _retry_on_error
770
650
771
651
transport_set_ptr = _library.gnutls_transport_set_ptr
772
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
652
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
773
653
transport_set_ptr.restype = None
774
654
775
655
bye = _library.gnutls_bye
776
bye.argtypes = [ClientSession, close_request_t]
777
bye.restype = ctypes.c_int
656
bye.argtypes = [session_t, close_request_t]
657
bye.restype = _error_code
778
658
bye.errcheck = _retry_on_error
779
659
780
660
check_version = _library.gnutls_check_version
781
661
check_version.argtypes = [ctypes.c_char_p]
782
662
check_version.restype = ctypes.c_char_p
783
784
_need_version = b"3.3.0"
785
if check_version(_need_version) is None:
786
raise self.Error("Needs GnuTLS {} or later"
787
.format(_need_version))
788
789
_tls_rawpk_version = b"3.6.6"
790
has_rawpk = bool(check_version(_tls_rawpk_version))
791
792
if has_rawpk:
793
# Types
794
class pubkey_st(ctypes.Structure):
795
_fields = []
796
pubkey_t = ctypes.POINTER(pubkey_st)
797
798
x509_crt_fmt_t = ctypes.c_int
799
800
# All the function declarations below are from
801
# gnutls/abstract.h
802
pubkey_init = _library.gnutls_pubkey_init
803
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
804
pubkey_init.restype = _error_code
805
806
pubkey_import = _library.gnutls_pubkey_import
807
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
808
x509_crt_fmt_t]
809
pubkey_import.restype = _error_code
810
811
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
812
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
813
ctypes.POINTER(ctypes.c_ubyte),
814
ctypes.POINTER(ctypes.c_size_t)]
815
pubkey_get_key_id.restype = _error_code
816
817
pubkey_deinit = _library.gnutls_pubkey_deinit
818
pubkey_deinit.argtypes = [pubkey_t]
819
pubkey_deinit.restype = None
820
else:
821
# All the function declarations below are from
822
# gnutls/openpgp.h
823
824
openpgp_crt_init = _library.gnutls_openpgp_crt_init
825
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
826
openpgp_crt_init.restype = _error_code
827
828
openpgp_crt_import = _library.gnutls_openpgp_crt_import
829
openpgp_crt_import.argtypes = [openpgp_crt_t,
830
ctypes.POINTER(datum_t),
831
openpgp_crt_fmt_t]
832
openpgp_crt_import.restype = _error_code
833
834
openpgp_crt_verify_self = \
835
_library.gnutls_openpgp_crt_verify_self
836
openpgp_crt_verify_self.argtypes = [
837
openpgp_crt_t,
838
ctypes.c_uint,
839
ctypes.POINTER(ctypes.c_uint),
840
]
841
openpgp_crt_verify_self.restype = _error_code
842
843
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
844
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
845
openpgp_crt_deinit.restype = None
846
847
openpgp_crt_get_fingerprint = (
848
_library.gnutls_openpgp_crt_get_fingerprint)
849
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
850
ctypes.c_void_p,
851
ctypes.POINTER(
852
ctypes.c_size_t)]
853
openpgp_crt_get_fingerprint.restype = _error_code
854
855
if check_version(b"3.6.4"):
856
certificate_type_get2 = _library.gnutls_certificate_type_get2
857
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
858
certificate_type_get2.restype = _error_code
859
663
664
# All the function declarations below are from gnutls/openpgp.h
665
666
openpgp_crt_init = _library.gnutls_openpgp_crt_init
667
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
668
openpgp_crt_init.restype = _error_code
669
670
openpgp_crt_import = _library.gnutls_openpgp_crt_import
671
openpgp_crt_import.argtypes = [openpgp_crt_t,
672
ctypes.POINTER(datum_t),
673
openpgp_crt_fmt_t]
674
openpgp_crt_import.restype = _error_code
675
676
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
677
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
678
ctypes.POINTER(ctypes.c_uint)]
679
openpgp_crt_verify_self.restype = _error_code
680
681
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
682
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
683
openpgp_crt_deinit.restype = None
684
685
openpgp_crt_get_fingerprint = (
686
_library.gnutls_openpgp_crt_get_fingerprint)
687
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
688
ctypes.c_void_p,
689
ctypes.POINTER(
690
ctypes.c_size_t)]
691
openpgp_crt_get_fingerprint.restype = _error_code
692
860
693
# Remove non-public functions
861
694
del _error_code, _retry_on_error
862
695
# Create the global "gnutls" object, simulating a module
696
gnutls = GnuTLS()
863
697
864
698
def call_pipe(connection, # : multiprocessing.Connection
865
699
func, *args, **kwargs):
866
700
"""This function is meant to be called by multiprocessing.Process
867
701
868
702
This function runs func(*args, **kwargs), and writes the resulting
869
703
return value on the provided multiprocessing.Connection.
870
704
"""
871
705
connection.send(func(*args, **kwargs))
872
706
connection.close()
873
707
874
875
class Client:
708
class Client(object):
876
709
"""A representation of a client host served by this server.
877
710
878
711
Attributes:
879
712
approved: bool(); 'None' if not yet approved/disapproved
880
713
approval_delay: datetime.timedelta(); Time to wait for approval
881
714
approval_duration: datetime.timedelta(); Duration of one approval
882
checker: multiprocessing.Process(); a running checker process used
883
to see if the client lives. 'None' if no process is
884
running.
885
checker_callback_tag: a GLib event source tag, or None
715
checker: subprocess.Popen(); a running checker process used
716
to see if the client lives.
717
'None' if no process is running.
718
checker_callback_tag: a gobject event source tag, or None
886
719
checker_command: string; External command which is run to check
887
720
if client lives. %() expansions are done at
888
721
runtime with vars(self) as dict, so that for
889
722
instance %(name)s can be used in the command.
890
checker_initiator_tag: a GLib event source tag, or None
723
checker_initiator_tag: a gobject event source tag, or None
891
724
created: datetime.datetime(); (UTC) object creation
892
725
client_structure: Object describing what attributes a client has
893
726
and is used for storing the client at exit
894
727
current_checker_command: string; current running checker_command
895
disable_initiator_tag: a GLib event source tag, or None
728
disable_initiator_tag: a gobject event source tag, or None
896
729
enabled: bool()
897
730
fingerprint: string (40 or 32 hexadecimal digits); used to
898
uniquely identify an OpenPGP client
899
key_id: string (64 hexadecimal digits); used to uniquely identify
900
a client using raw public keys
731
uniquely identify the client
901
732
host: string; available for use by the checker command
902
733
interval: datetime.timedelta(); How often to start a new checker
903
734
last_approval_request: datetime.datetime(); (UTC) or None
919
750
disabled, or None
920
751
server_settings: The server_settings dict from main()
921
752
"""
922
753
923
754
runtime_expansions = ("approval_delay", "approval_duration",
924
"created", "enabled", "expires", "key_id",
755
"created", "enabled", "expires",
925
756
"fingerprint", "host", "interval",
926
757
"last_approval_request", "last_checked_ok",
927
758
"last_enabled", "name", "timeout")
936
767
"approved_by_default": "True",
937
768
"enabled": "True",
938
769
}
939
770
940
771
@staticmethod
941
772
def config_parser(config):
942
773
"""Construct a new dict of client settings of this form:
949
780
for client_name in config.sections():
950
781
section = dict(config.items(client_name))
951
782
client = settings[client_name] = {}
952
783
953
784
client["host"] = section["host"]
954
785
# Reformat values from string types to Python types
955
786
client["approved_by_default"] = config.getboolean(
956
787
client_name, "approved_by_default")
957
788
client["enabled"] = config.getboolean(client_name,
958
789
"enabled")
959
960
# Uppercase and remove spaces from key_id and fingerprint
961
# for later comparison purposes with return value from the
962
# key_id() and fingerprint() functions
963
client["key_id"] = (section.get("key_id", "").upper()
964
.replace(" ", ""))
790
791
# Uppercase and remove spaces from fingerprint for later
792
# comparison purposes with return value from the
793
# fingerprint() function
965
794
client["fingerprint"] = (section["fingerprint"].upper()
966
795
.replace(" ", ""))
967
796
if "secret" in section:
968
client["secret"] = codecs.decode(section["secret"]
969
.encode("utf-8"),
970
"base64")
797
client["secret"] = section["secret"].decode("base64")
971
798
elif "secfile" in section:
972
799
with open(os.path.expanduser(os.path.expandvars
973
800
(section["secfile"])),
988
815
client["last_approval_request"] = None
989
816
client["last_checked_ok"] = None
990
817
client["last_checker_status"] = -2
991
818
992
819
return settings
993
994
def __init__(self, settings, name=None, server_settings=None):
820
821
def __init__(self, settings, name = None, server_settings=None):
995
822
self.name = name
996
823
if server_settings is None:
997
824
server_settings = {}
999
826
# adding all client settings
1000
827
for setting, value in settings.items():
1001
828
setattr(self, setting, value)
1002
829
1003
830
if self.enabled:
1004
831
if not hasattr(self, "last_enabled"):
1005
832
self.last_enabled = datetime.datetime.utcnow()
1009
836
else:
1010
837
self.last_enabled = None
1011
838
self.expires = None
1012
839
1013
840
logger.debug("Creating client %r", self.name)
1014
logger.debug(" Key ID: %s", self.key_id)
1015
841
logger.debug(" Fingerprint: %s", self.fingerprint)
1016
842
self.created = settings.get("created",
1017
843
datetime.datetime.utcnow())
1018
844
1019
845
# attributes specific for this server instance
1020
846
self.checker = None
1021
847
self.checker_initiator_tag = None
1027
853
self.changedstate = multiprocessing_manager.Condition(
1028
854
multiprocessing_manager.Lock())
1029
855
self.client_structure = [attr
1030
for attr in self.__dict__.keys()
856
for attr in self.__dict__.iterkeys()
1031
857
if not attr.startswith("_")]
1032
858
self.client_structure.append("client_structure")
1033
859
1034
860
for name, t in inspect.getmembers(
1035
861
type(self), lambda obj: isinstance(obj, property)):
1036
862
if not name.startswith("_"):
1037
863
self.client_structure.append(name)
1038
864
1039
865
# Send notice to process children that client state has changed
1040
866
def send_changedstate(self):
1041
867
with self.changedstate:
1042
868
self.changedstate.notify_all()
1043
869
1044
870
def enable(self):
1045
871
"""Start this client's checker and timeout hooks"""
1046
872
if getattr(self, "enabled", False):
1051
877
self.last_enabled = datetime.datetime.utcnow()
1052
878
self.init_checker()
1053
879
self.send_changedstate()
1054
880
1055
881
def disable(self, quiet=True):
1056
882
"""Disable this client."""
1057
883
if not getattr(self, "enabled", False):
1059
885
if not quiet:
1060
886
logger.info("Disabling client %s", self.name)
1061
887
if getattr(self, "disable_initiator_tag", None) is not None:
1062
GLib.source_remove(self.disable_initiator_tag)
888
gobject.source_remove(self.disable_initiator_tag)
1063
889
self.disable_initiator_tag = None
1064
890
self.expires = None
1065
891
if getattr(self, "checker_initiator_tag", None) is not None:
1066
GLib.source_remove(self.checker_initiator_tag)
892
gobject.source_remove(self.checker_initiator_tag)
1067
893
self.checker_initiator_tag = None
1068
894
self.stop_checker()
1069
895
self.enabled = False
1070
896
if not quiet:
1071
897
self.send_changedstate()
1072
# Do not run this again if called by a GLib.timeout_add
898
# Do not run this again if called by a gobject.timeout_add
1073
899
return False
1074
900
1075
901
def __del__(self):
1076
902
self.disable()
1077
903
1078
904
def init_checker(self):
1079
905
# Schedule a new checker to be started an 'interval' from now,
1080
906
# and every interval from then on.
1081
907
if self.checker_initiator_tag is not None:
1082
GLib.source_remove(self.checker_initiator_tag)
1083
self.checker_initiator_tag = GLib.timeout_add(
1084
random.randrange(int(self.interval.total_seconds() * 1000
1085
+ 1)),
908
gobject.source_remove(self.checker_initiator_tag)
909
self.checker_initiator_tag = gobject.timeout_add(
910
int(self.interval.total_seconds() * 1000),
1086
911
self.start_checker)
1087
912
# Schedule a disable() when 'timeout' has passed
1088
913
if self.disable_initiator_tag is not None:
1089
GLib.source_remove(self.disable_initiator_tag)
1090
self.disable_initiator_tag = GLib.timeout_add(
914
gobject.source_remove(self.disable_initiator_tag)
915
self.disable_initiator_tag = gobject.timeout_add(
1091
916
int(self.timeout.total_seconds() * 1000), self.disable)
1092
917
# Also start a new checker *right now*.
1093
918
self.start_checker()
1094
919
1095
920
def checker_callback(self, source, condition, connection,
1096
921
command):
1097
922
"""The checker has completed, so take appropriate actions."""
923
self.checker_callback_tag = None
924
self.checker = None
1098
925
# Read return code from connection (see call_pipe)
1099
926
returncode = connection.recv()
1100
927
connection.close()
1101
if self.checker is not None:
1102
self.checker.join()
1103
self.checker_callback_tag = None
1104
self.checker = None
1105
928
1106
929
if returncode >= 0:
1107
930
self.last_checker_status = returncode
1108
931
self.last_checker_signal = None
1118
941
logger.warning("Checker for %(name)s crashed?",
1119
942
vars(self))
1120
943
return False
1121
944
1122
945
def checked_ok(self):
1123
946
"""Assert that the client has been seen, alive and well."""
1124
947
self.last_checked_ok = datetime.datetime.utcnow()
1125
948
self.last_checker_status = 0
1126
949
self.last_checker_signal = None
1127
950
self.bump_timeout()
1128
951
1129
952
def bump_timeout(self, timeout=None):
1130
953
"""Bump up the timeout for this client."""
1131
954
if timeout is None:
1132
955
timeout = self.timeout
1133
956
if self.disable_initiator_tag is not None:
1134
GLib.source_remove(self.disable_initiator_tag)
957
gobject.source_remove(self.disable_initiator_tag)
1135
958
self.disable_initiator_tag = None
1136
959
if getattr(self, "enabled", False):
1137
self.disable_initiator_tag = GLib.timeout_add(
960
self.disable_initiator_tag = gobject.timeout_add(
1138
961
int(timeout.total_seconds() * 1000), self.disable)
1139
962
self.expires = datetime.datetime.utcnow() + timeout
1140
963
1141
964
def need_approval(self):
1142
965
self.last_approval_request = datetime.datetime.utcnow()
1143
966
1144
967
def start_checker(self):
1145
968
"""Start a new checker subprocess if one is not running.
1146
969
1147
970
If a checker already exists, leave it running and do
1148
971
nothing."""
1149
972
# The reason for not killing a running checker is that if we
1154
977
# checkers alone, the checker would have to take more time
1155
978
# than 'timeout' for the client to be disabled, which is as it
1156
979
# should be.
1157
980
1158
981
if self.checker is not None and not self.checker.is_alive():
1159
982
logger.warning("Checker was not alive; joining")
1160
983
self.checker.join()
1163
986
if self.checker is None:
1164
987
# Escape attributes for the shell
1165
988
escaped_attrs = {
1166
attr: shlex.quote(str(getattr(self, attr)))
1167
for attr in self.runtime_expansions}
989
attr: re.escape(str(getattr(self, attr)))
990
for attr in self.runtime_expansions }
1168
991
try:
1169
992
command = self.checker_command % escaped_attrs
1170
993
except TypeError as error:
1182
1005
# The exception is when not debugging but nevertheless
1183
1006
# running in the foreground; use the previously
1184
1007
# created wnull.
1185
popen_args = {"close_fds": True,
1186
"shell": True,
1187
"cwd": "/"}
1008
popen_args = { "close_fds": True,
1009
"shell": True,
1010
"cwd": "/" }
1188
1011
if (not self.server_settings["debug"]
1189
1012
and self.server_settings["foreground"]):
1190
1013
popen_args.update({"stdout": wnull,
1191
"stderr": wnull})
1192
pipe = multiprocessing.Pipe(duplex=False)
1014
"stderr": wnull })
1015
pipe = multiprocessing.Pipe(duplex = False)
1193
1016
self.checker = multiprocessing.Process(
1194
target=call_pipe,
1195
args=(pipe[1], subprocess.call, command),
1196
kwargs=popen_args)
1017
target = call_pipe,
1018
args = (pipe[1], subprocess.call, command),
1019
kwargs = popen_args)
1197
1020
self.checker.start()
1198
self.checker_callback_tag = GLib.io_add_watch(
1199
GLib.IOChannel.unix_new(pipe[0].fileno()),
1200
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1021
self.checker_callback_tag = gobject.io_add_watch(
1022
pipe[0].fileno(), gobject.IO_IN,
1201
1023
self.checker_callback, pipe[0], command)
1202
# Re-run this periodically if run by GLib.timeout_add
1024
# Re-run this periodically if run by gobject.timeout_add
1203
1025
return True
1204
1026
1205
1027
def stop_checker(self):
1206
1028
"""Force the checker process, if any, to stop."""
1207
1029
if self.checker_callback_tag:
1208
GLib.source_remove(self.checker_callback_tag)
1030
gobject.source_remove(self.checker_callback_tag)
1209
1031
self.checker_callback_tag = None
1210
1032
if getattr(self, "checker", None) is None:
1211
1033
return
1220
1042
byte_arrays=False):
1221
1043
"""Decorators for marking methods of a DBusObjectWithProperties to
1222
1044
become properties on the D-Bus.
1223
1045
1224
1046
The decorated method will be called with no arguments by "Get"
1225
1047
and with one argument by "Set".
1226
1048
1227
1049
The parameters, where they are supported, are the same as
1228
1050
dbus.service.method, except there is only "signature", since the
1229
1051
type from Get() and the type sent to Set() is the same.
1233
1055
if byte_arrays and signature != "ay":
1234
1056
raise ValueError("Byte arrays not supported for non-'ay'"
1235
1057
" signature {!r}".format(signature))
1236
1058
1237
1059
def decorator(func):
1238
1060
func._dbus_is_property = True
1239
1061
func._dbus_interface = dbus_interface
1242
1064
func._dbus_name = func.__name__
1243
1065
if func._dbus_name.endswith("_dbus_property"):
1244
1066
func._dbus_name = func._dbus_name[:-14]
1245
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1067
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1246
1068
return func
1247
1069
1248
1070
return decorator
1249
1071
1250
1072
1251
1073
def dbus_interface_annotations(dbus_interface):
1252
1074
"""Decorator for marking functions returning interface annotations
1253
1075
1254
1076
Usage:
1255
1077
1256
1078
@dbus_interface_annotations("org.example.Interface")
1257
1079
def _foo(self): # Function name does not matter
1258
1080
return {"org.freedesktop.DBus.Deprecated": "true",
1259
1081
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1260
1082
"false"}
1261
1083
"""
1262
1084
1263
1085
def decorator(func):
1264
1086
func._dbus_is_interface = True
1265
1087
func._dbus_interface = dbus_interface
1266
1088
func._dbus_name = dbus_interface
1267
1089
return func
1268
1090
1269
1091
return decorator
1270
1092
1271
1093
1272
1094
def dbus_annotations(annotations):
1273
1095
"""Decorator to annotate D-Bus methods, signals or properties
1274
1096
Usage:
1275
1097
1276
1098
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1277
1099
"org.freedesktop.DBus.Property."
1278
1100
"EmitsChangedSignal": "false"})
1280
1102
access="r")
1281
1103
def Property_dbus_property(self):
1282
1104
return dbus.Boolean(False)
1283
1105
1284
1106
See also the DBusObjectWithAnnotations class.
1285
1107
"""
1286
1108
1287
1109
def decorator(func):
1288
1110
func._dbus_annotations = annotations
1289
1111
return func
1290
1112
1291
1113
return decorator
1292
1114
1293
1115
1311
1133
1312
1134
class DBusObjectWithAnnotations(dbus.service.Object):
1313
1135
"""A D-Bus object with annotations.
1314
1136
1315
1137
Classes inheriting from this can use the dbus_annotations
1316
1138
decorator to add annotations to methods or signals.
1317
1139
"""
1318
1140
1319
1141
@staticmethod
1320
1142
def _is_dbus_thing(thing):
1321
1143
"""Returns a function testing if an attribute is a D-Bus thing
1322
1144
1323
1145
If called like _is_dbus_thing("method") it returns a function
1324
1146
suitable for use as predicate to inspect.getmembers().
1325
1147
"""
1326
1148
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1327
1149
False)
1328
1150
1329
1151
def _get_all_dbus_things(self, thing):
1330
1152
"""Returns a generator of (name, attribute) pairs
1331
1153
"""
1334
1156
for cls in self.__class__.__mro__
1335
1157
for name, athing in
1336
1158
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1337
1159
1338
1160
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1339
out_signature="s",
1340
path_keyword='object_path',
1341
connection_keyword='connection')
1161
out_signature = "s",
1162
path_keyword = 'object_path',
1163
connection_keyword = 'connection')
1342
1164
def Introspect(self, object_path, connection):
1343
1165
"""Overloading of standard D-Bus method.
1344
1166
1345
1167
Inserts annotation tags on methods and signals.
1346
1168
"""
1347
1169
xmlstring = dbus.service.Object.Introspect(self, object_path,
1348
1170
connection)
1349
1171
try:
1350
1172
document = xml.dom.minidom.parseString(xmlstring)
1351
1173
1352
1174
for if_tag in document.getElementsByTagName("interface"):
1353
1175
# Add annotation tags
1354
1176
for typ in ("method", "signal"):
1381
1203
if_tag.appendChild(ann_tag)
1382
1204
# Fix argument name for the Introspect method itself
1383
1205
if (if_tag.getAttribute("name")
1384
== dbus.INTROSPECTABLE_IFACE):
1206
== dbus.INTROSPECTABLE_IFACE):
1385
1207
for cn in if_tag.getElementsByTagName("method"):
1386
1208
if cn.getAttribute("name") == "Introspect":
1387
1209
for arg in cn.getElementsByTagName("arg"):
1400
1222
1401
1223
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1402
1224
"""A D-Bus object with properties.
1403
1225
1404
1226
Classes inheriting from this can use the dbus_service_property
1405
1227
decorator to expose methods as D-Bus properties. It exposes the
1406
1228
standard Get(), Set(), and GetAll() methods on the D-Bus.
1407
1229
"""
1408
1230
1409
1231
def _get_dbus_property(self, interface_name, property_name):
1410
1232
"""Returns a bound method if one exists which is a D-Bus
1411
1233
property with the specified name and interface.
1416
1238
if (value._dbus_name == property_name
1417
1239
and value._dbus_interface == interface_name):
1418
1240
return value.__get__(self)
1419
1241
1420
1242
# No such property
1421
1243
raise DBusPropertyNotFound("{}:{}.{}".format(
1422
1244
self.dbus_object_path, interface_name, property_name))
1423
1245
1424
1246
@classmethod
1425
1247
def _get_all_interface_names(cls):
1426
1248
"""Get a sequence of all interfaces supported by an object"""
1429
1251
for x in (inspect.getmro(cls))
1430
1252
for attr in dir(x))
1431
1253
if name is not None)
1432
1254
1433
1255
@dbus.service.method(dbus.PROPERTIES_IFACE,
1434
1256
in_signature="ss",
1435
1257
out_signature="v")
1443
1265
if not hasattr(value, "variant_level"):
1444
1266
return value
1445
1267
return type(value)(value, variant_level=value.variant_level+1)
1446
1268
1447
1269
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1448
1270
def Set(self, interface_name, property_name, value):
1449
1271
"""Standard D-Bus property Set() method, see D-Bus standard.
1458
1280
raise ValueError("Byte arrays not supported for non-"
1459
1281
"'ay' signature {!r}"
1460
1282
.format(prop._dbus_signature))
1461
value = dbus.ByteArray(bytes(value))
1283
value = dbus.ByteArray(b''.join(chr(byte)
1284
for byte in value))
1462
1285
prop(value)
1463
1286
1464
1287
@dbus.service.method(dbus.PROPERTIES_IFACE,
1465
1288
in_signature="s",
1466
1289
out_signature="a{sv}")
1467
1290
def GetAll(self, interface_name):
1468
1291
"""Standard D-Bus property GetAll() method, see D-Bus
1469
1292
standard.
1470
1293
1471
1294
Note: Will not include properties with access="write".
1472
1295
"""
1473
1296
properties = {}
1484
1307
properties[name] = value
1485
1308
continue
1486
1309
properties[name] = type(value)(
1487
value, variant_level=value.variant_level + 1)
1310
value, variant_level = value.variant_level + 1)
1488
1311
return dbus.Dictionary(properties, signature="sv")
1489
1312
1490
1313
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1491
1314
def PropertiesChanged(self, interface_name, changed_properties,
1492
1315
invalidated_properties):
1494
1317
standard.
1495
1318
"""
1496
1319
pass
1497
1320
1498
1321
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1499
1322
out_signature="s",
1500
1323
path_keyword='object_path',
1501
1324
connection_keyword='connection')
1502
1325
def Introspect(self, object_path, connection):
1503
1326
"""Overloading of standard D-Bus method.
1504
1327
1505
1328
Inserts property tags and interface annotation tags.
1506
1329
"""
1507
1330
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1509
1332
connection)
1510
1333
try:
1511
1334
document = xml.dom.minidom.parseString(xmlstring)
1512
1335
1513
1336
def make_tag(document, name, prop):
1514
1337
e = document.createElement("property")
1515
1338
e.setAttribute("name", name)
1516
1339
e.setAttribute("type", prop._dbus_signature)
1517
1340
e.setAttribute("access", prop._dbus_access)
1518
1341
return e
1519
1342
1520
1343
for if_tag in document.getElementsByTagName("interface"):
1521
1344
# Add property tags
1522
1345
for tag in (make_tag(document, name, prop)
1564
1387
exc_info=error)
1565
1388
return xmlstring
1566
1389
1567
1568
1390
try:
1569
1391
dbus.OBJECT_MANAGER_IFACE
1570
1392
except AttributeError:
1571
1393
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1572
1394
1573
1574
1395
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1575
1396
"""A D-Bus object with an ObjectManager.
1576
1397
1577
1398
Classes inheriting from this exposes the standard
1578
1399
GetManagedObjects call and the InterfacesAdded and
1579
1400
InterfacesRemoved signals on the standard
1580
1401
"org.freedesktop.DBus.ObjectManager" interface.
1581
1402
1582
1403
Note: No signals are sent automatically; they must be sent
1583
1404
manually.
1584
1405
"""
1585
1406
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1586
out_signature="a{oa{sa{sv}}}")
1407
out_signature = "a{oa{sa{sv}}}")
1587
1408
def GetManagedObjects(self):
1588
1409
"""This function must be overridden"""
1589
1410
raise NotImplementedError()
1590
1411
1591
1412
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1592
signature="oa{sa{sv}}")
1413
signature = "oa{sa{sv}}")
1593
1414
def InterfacesAdded(self, object_path, interfaces_and_properties):
1594
1415
pass
1595
1596
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1416
1417
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1597
1418
def InterfacesRemoved(self, object_path, interfaces):
1598
1419
pass
1599
1420
1600
1421
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1601
out_signature="s",
1602
path_keyword='object_path',
1603
connection_keyword='connection')
1422
out_signature = "s",
1423
path_keyword = 'object_path',
1424
connection_keyword = 'connection')
1604
1425
def Introspect(self, object_path, connection):
1605
1426
"""Overloading of standard D-Bus method.
1606
1427
1607
1428
Override return argument name of GetManagedObjects to be
1608
1429
"objpath_interfaces_and_properties"
1609
1430
"""
1612
1433
connection)
1613
1434
try:
1614
1435
document = xml.dom.minidom.parseString(xmlstring)
1615
1436
1616
1437
for if_tag in document.getElementsByTagName("interface"):
1617
1438
# Fix argument name for the GetManagedObjects method
1618
1439
if (if_tag.getAttribute("name")
1619
== dbus.OBJECT_MANAGER_IFACE):
1440
== dbus.OBJECT_MANAGER_IFACE):
1620
1441
for cn in if_tag.getElementsByTagName("method"):
1621
1442
if (cn.getAttribute("name")
1622
1443
== "GetManagedObjects"):
1632
1453
except (AttributeError, xml.dom.DOMException,
1633
1454
xml.parsers.expat.ExpatError) as error:
1634
1455
logger.error("Failed to override Introspection method",
1635
exc_info=error)
1456
exc_info = error)
1636
1457
return xmlstring
1637
1458
1638
1639
1459
def datetime_to_dbus(dt, variant_level=0):
1640
1460
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1641
1461
if dt is None:
1642
return dbus.String("", variant_level=variant_level)
1462
return dbus.String("", variant_level = variant_level)
1643
1463
return dbus.String(dt.isoformat(), variant_level=variant_level)
1644
1464
1645
1465
1648
1468
dbus.service.Object, it will add alternate D-Bus attributes with
1649
1469
interface names according to the "alt_interface_names" mapping.
1650
1470
Usage:
1651
1471
1652
1472
@alternate_dbus_interfaces({"org.example.Interface":
1653
1473
"net.example.AlternateInterface"})
1654
1474
class SampleDBusObject(dbus.service.Object):
1655
1475
@dbus.service.method("org.example.Interface")
1656
1476
def SampleDBusMethod():
1657
1477
pass
1658
1478
1659
1479
The above "SampleDBusMethod" on "SampleDBusObject" will be
1660
1480
reachable via two interfaces: "org.example.Interface" and
1661
1481
"net.example.AlternateInterface", the latter of which will have
1662
1482
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1663
1483
"true", unless "deprecate" is passed with a False value.
1664
1484
1665
1485
This works for methods and signals, and also for D-Bus properties
1666
1486
(from DBusObjectWithProperties) and interfaces (from the
1667
1487
dbus_interface_annotations decorator).
1668
1488
"""
1669
1489
1670
1490
def wrapper(cls):
1671
1491
for orig_interface_name, alt_interface_name in (
1672
1492
alt_interface_names.items()):
1687
1507
interface_names.add(alt_interface)
1688
1508
# Is this a D-Bus signal?
1689
1509
if getattr(attribute, "_dbus_is_signal", False):
1690
# Extract the original non-method undecorated
1691
# function by black magic
1692
1510
if sys.version_info.major == 2:
1511
# Extract the original non-method undecorated
1512
# function by black magic
1693
1513
nonmethod_func = (dict(
1694
1514
zip(attribute.func_code.co_freevars,
1695
1515
attribute.__closure__))
1696
1516
["func"].cell_contents)
1697
1517
else:
1698
nonmethod_func = (dict(
1699
zip(attribute.__code__.co_freevars,
1700
attribute.__closure__))
1701
["func"].cell_contents)
1518
nonmethod_func = attribute
1702
1519
# Create a new, but exactly alike, function
1703
1520
# object, and decorate it to be a new D-Bus signal
1704
1521
# with the alternate D-Bus interface name
1705
new_function = copy_function(nonmethod_func)
1522
if sys.version_info.major == 2:
1523
new_function = types.FunctionType(
1524
nonmethod_func.func_code,
1525
nonmethod_func.func_globals,
1526
nonmethod_func.func_name,
1527
nonmethod_func.func_defaults,
1528
nonmethod_func.func_closure)
1529
else:
1530
new_function = types.FunctionType(
1531
nonmethod_func.__code__,
1532
nonmethod_func.__globals__,
1533
nonmethod_func.__name__,
1534
nonmethod_func.__defaults__,
1535
nonmethod_func.__closure__)
1706
1536
new_function = (dbus.service.signal(
1707
1537
alt_interface,
1708
1538
attribute._dbus_signature)(new_function))
1712
1542
attribute._dbus_annotations)
1713
1543
except AttributeError:
1714
1544
pass
1715
1716
1545
# Define a creator of a function to call both the
1717
1546
# original and alternate functions, so both the
1718
1547
# original and alternate signals gets sent when
1721
1550
"""This function is a scope container to pass
1722
1551
func1 and func2 to the "call_both" function
1723
1552
outside of its arguments"""
1724
1553
1725
1554
@functools.wraps(func2)
1726
1555
def call_both(*args, **kwargs):
1727
1556
"""This function will emit two D-Bus
1728
1557
signals by calling func1 and func2"""
1729
1558
func1(*args, **kwargs)
1730
1559
func2(*args, **kwargs)
1731
# Make wrapper function look like a D-Bus
1732
# signal
1560
# Make wrapper function look like a D-Bus signal
1733
1561
for name, attr in inspect.getmembers(func2):
1734
1562
if name.startswith("_dbus_"):
1735
1563
setattr(call_both, name, attr)
1736
1564
1737
1565
return call_both
1738
1566
# Create the "call_both" function and add it to
1739
1567
# the class
1749
1577
alt_interface,
1750
1578
attribute._dbus_in_signature,
1751
1579
attribute._dbus_out_signature)
1752
(copy_function(attribute)))
1580
(types.FunctionType(attribute.func_code,
1581
attribute.func_globals,
1582
attribute.func_name,
1583
attribute.func_defaults,
1584
attribute.func_closure)))
1753
1585
# Copy annotations, if any
1754
1586
try:
1755
1587
attr[attrname]._dbus_annotations = dict(
1767
1599
attribute._dbus_access,
1768
1600
attribute._dbus_get_args_options
1769
1601
["byte_arrays"])
1770
(copy_function(attribute)))
1602
(types.FunctionType(
1603
attribute.func_code,
1604
attribute.func_globals,
1605
attribute.func_name,
1606
attribute.func_defaults,
1607
attribute.func_closure)))
1771
1608
# Copy annotations, if any
1772
1609
try:
1773
1610
attr[attrname]._dbus_annotations = dict(
1782
1619
# to the class.
1783
1620
attr[attrname] = (
1784
1621
dbus_interface_annotations(alt_interface)
1785
(copy_function(attribute)))
1622
(types.FunctionType(attribute.func_code,
1623
attribute.func_globals,
1624
attribute.func_name,
1625
attribute.func_defaults,
1626
attribute.func_closure)))
1786
1627
if deprecate:
1787
1628
# Deprecate all alternate interfaces
1788
iname = "_AlternateDBusNames_interface_annotation{}"
1629
iname="_AlternateDBusNames_interface_annotation{}"
1789
1630
for interface_name in interface_names:
1790
1631
1791
1632
@dbus_interface_annotations(interface_name)
1792
1633
def func(self):
1793
return {"org.freedesktop.DBus.Deprecated":
1794
"true"}
1634
return { "org.freedesktop.DBus.Deprecated":
1635
"true" }
1795
1636
# Find an unused name
1796
1637
for aname in (iname.format(i)
1797
1638
for i in itertools.count()):
1801
1642
if interface_names:
1802
1643
# Replace the class with a new subclass of it with
1803
1644
# methods, signals, etc. as created above.
1804
if sys.version_info.major == 2:
1805
cls = type(b"{}Alternate".format(cls.__name__),
1806
(cls, ), attr)
1807
else:
1808
cls = type("{}Alternate".format(cls.__name__),
1809
(cls, ), attr)
1645
cls = type(b"{}Alternate".format(cls.__name__),
1646
(cls, ), attr)
1810
1647
return cls
1811
1648
1812
1649
return wrapper
1813
1650
1814
1651
1816
1653
"se.bsnet.fukt.Mandos"})
1817
1654
class ClientDBus(Client, DBusObjectWithProperties):
1818
1655
"""A Client class using D-Bus
1819
1656
1820
1657
Attributes:
1821
1658
dbus_object_path: dbus.ObjectPath
1822
1659
bus: dbus.SystemBus()
1823
1660
"""
1824
1661
1825
1662
runtime_expansions = (Client.runtime_expansions
1826
1663
+ ("dbus_object_path", ))
1827
1664
1828
1665
_interface = "se.recompile.Mandos.Client"
1829
1666
1830
1667
# dbus.service.Object doesn't use super(), so we can't either.
1831
1832
def __init__(self, bus=None, *args, **kwargs):
1668
1669
def __init__(self, bus = None, *args, **kwargs):
1833
1670
self.bus = bus
1834
1671
Client.__init__(self, *args, **kwargs)
1835
1672
# Only now, when this client is initialized, can it show up on
1841
1678
"/clients/" + client_object_name)
1842
1679
DBusObjectWithProperties.__init__(self, self.bus,
1843
1680
self.dbus_object_path)
1844
1681
1845
1682
def notifychangeproperty(transform_func, dbus_name,
1846
1683
type_func=lambda x: x,
1847
1684
variant_level=1,
1849
1686
_interface=_interface):
1850
1687
""" Modify a variable so that it's a property which announces
1851
1688
its changes to DBus.
1852
1689
1853
1690
transform_fun: Function that takes a value and a variant_level
1854
1691
and transforms it to a D-Bus type.
1855
1692
dbus_name: D-Bus name of the variable
1858
1695
variant_level: D-Bus variant level. Default: 1
1859
1696
"""
1860
1697
attrname = "_{}".format(dbus_name)
1861
1698
1862
1699
def setter(self, value):
1863
1700
if hasattr(self, "dbus_object_path"):
1864
1701
if (not hasattr(self, attrname) or
1871
1708
else:
1872
1709
dbus_value = transform_func(
1873
1710
type_func(value),
1874
variant_level=variant_level)
1711
variant_level = variant_level)
1875
1712
self.PropertyChanged(dbus.String(dbus_name),
1876
1713
dbus_value)
1877
1714
self.PropertiesChanged(
1878
1715
_interface,
1879
dbus.Dictionary({dbus.String(dbus_name):
1880
dbus_value}),
1716
dbus.Dictionary({ dbus.String(dbus_name):
1717
dbus_value }),
1881
1718
dbus.Array())
1882
1719
setattr(self, attrname, value)
1883
1720
1884
1721
return property(lambda self: getattr(self, attrname), setter)
1885
1722
1886
1723
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1887
1724
approvals_pending = notifychangeproperty(dbus.Boolean,
1888
1725
"ApprovalPending",
1889
type_func=bool)
1726
type_func = bool)
1890
1727
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1891
1728
last_enabled = notifychangeproperty(datetime_to_dbus,
1892
1729
"LastEnabled")
1893
1730
checker = notifychangeproperty(
1894
1731
dbus.Boolean, "CheckerRunning",
1895
type_func=lambda checker: checker is not None)
1732
type_func = lambda checker: checker is not None)
1896
1733
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1897
1734
"LastCheckedOK")
1898
1735
last_checker_status = notifychangeproperty(dbus.Int16,
1903
1740
"ApprovedByDefault")
1904
1741
approval_delay = notifychangeproperty(
1905
1742
dbus.UInt64, "ApprovalDelay",
1906
type_func=lambda td: td.total_seconds() * 1000)
1743
type_func = lambda td: td.total_seconds() * 1000)
1907
1744
approval_duration = notifychangeproperty(
1908
1745
dbus.UInt64, "ApprovalDuration",
1909
type_func=lambda td: td.total_seconds() * 1000)
1746
type_func = lambda td: td.total_seconds() * 1000)
1910
1747
host = notifychangeproperty(dbus.String, "Host")
1911
1748
timeout = notifychangeproperty(
1912
1749
dbus.UInt64, "Timeout",
1913
type_func=lambda td: td.total_seconds() * 1000)
1750
type_func = lambda td: td.total_seconds() * 1000)
1914
1751
extended_timeout = notifychangeproperty(
1915
1752
dbus.UInt64, "ExtendedTimeout",
1916
type_func=lambda td: td.total_seconds() * 1000)
1753
type_func = lambda td: td.total_seconds() * 1000)
1917
1754
interval = notifychangeproperty(
1918
1755
dbus.UInt64, "Interval",
1919
type_func=lambda td: td.total_seconds() * 1000)
1756
type_func = lambda td: td.total_seconds() * 1000)
1920
1757
checker_command = notifychangeproperty(dbus.String, "Checker")
1921
1758
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1922
1759
invalidate_only=True)
1923
1760
1924
1761
del notifychangeproperty
1925
1762
1926
1763
def __del__(self, *args, **kwargs):
1927
1764
try:
1928
1765
self.remove_from_connection()
1931
1768
if hasattr(DBusObjectWithProperties, "__del__"):
1932
1769
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1933
1770
Client.__del__(self, *args, **kwargs)
1934
1771
1935
1772
def checker_callback(self, source, condition,
1936
1773
connection, command, *args, **kwargs):
1937
1774
ret = Client.checker_callback(self, source, condition,
1953
1790
| self.last_checker_signal),
1954
1791
dbus.String(command))
1955
1792
return ret
1956
1793
1957
1794
def start_checker(self, *args, **kwargs):
1958
1795
old_checker_pid = getattr(self.checker, "pid", None)
1959
1796
r = Client.start_checker(self, *args, **kwargs)
1963
1800
# Emit D-Bus signal
1964
1801
self.CheckerStarted(self.current_checker_command)
1965
1802
return r
1966
1803
1967
1804
def _reset_approved(self):
1968
1805
self.approved = None
1969
1806
return False
1970
1807
1971
1808
def approve(self, value=True):
1972
1809
self.approved = value
1973
GLib.timeout_add(int(self.approval_duration.total_seconds()
1974
* 1000), self._reset_approved)
1810
gobject.timeout_add(int(self.approval_duration.total_seconds()
1811
* 1000), self._reset_approved)
1975
1812
self.send_changedstate()
1976
1977
# D-Bus methods, signals & properties
1978
1979
# Interfaces
1980
1981
# Signals
1982
1813
1814
## D-Bus methods, signals & properties
1815
1816
## Interfaces
1817
1818
## Signals
1819
1983
1820
# CheckerCompleted - signal
1984
1821
@dbus.service.signal(_interface, signature="nxs")
1985
1822
def CheckerCompleted(self, exitcode, waitstatus, command):
1986
1823
"D-Bus signal"
1987
1824
pass
1988
1825
1989
1826
# CheckerStarted - signal
1990
1827
@dbus.service.signal(_interface, signature="s")
1991
1828
def CheckerStarted(self, command):
1992
1829
"D-Bus signal"
1993
1830
pass
1994
1831
1995
1832
# PropertyChanged - signal
1996
1833
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1997
1834
@dbus.service.signal(_interface, signature="sv")
1998
1835
def PropertyChanged(self, property, value):
1999
1836
"D-Bus signal"
2000
1837
pass
2001
1838
2002
1839
# GotSecret - signal
2003
1840
@dbus.service.signal(_interface)
2004
1841
def GotSecret(self):
2007
1844
server to mandos-client
2008
1845
"""
2009
1846
pass
2010
1847
2011
1848
# Rejected - signal
2012
1849
@dbus.service.signal(_interface, signature="s")
2013
1850
def Rejected(self, reason):
2014
1851
"D-Bus signal"
2015
1852
pass
2016
1853
2017
1854
# NeedApproval - signal
2018
1855
@dbus.service.signal(_interface, signature="tb")
2019
1856
def NeedApproval(self, timeout, default):
2020
1857
"D-Bus signal"
2021
1858
return self.need_approval()
2022
2023
# Methods
2024
1859
1860
## Methods
1861
2025
1862
# Approve - method
2026
1863
@dbus.service.method(_interface, in_signature="b")
2027
1864
def Approve(self, value):
2028
1865
self.approve(value)
2029
1866
2030
1867
# CheckedOK - method
2031
1868
@dbus.service.method(_interface)
2032
1869
def CheckedOK(self):
2033
1870
self.checked_ok()
2034
1871
2035
1872
# Enable - method
2036
1873
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2037
1874
@dbus.service.method(_interface)
2038
1875
def Enable(self):
2039
1876
"D-Bus method"
2040
1877
self.enable()
2041
1878
2042
1879
# StartChecker - method
2043
1880
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2044
1881
@dbus.service.method(_interface)
2045
1882
def StartChecker(self):
2046
1883
"D-Bus method"
2047
1884
self.start_checker()
2048
1885
2049
1886
# Disable - method
2050
1887
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2051
1888
@dbus.service.method(_interface)
2052
1889
def Disable(self):
2053
1890
"D-Bus method"
2054
1891
self.disable()
2055
1892
2056
1893
# StopChecker - method
2057
1894
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2058
1895
@dbus.service.method(_interface)
2059
1896
def StopChecker(self):
2060
1897
self.stop_checker()
2061
2062
# Properties
2063
1898
1899
## Properties
1900
2064
1901
# ApprovalPending - property
2065
1902
@dbus_service_property(_interface, signature="b", access="read")
2066
1903
def ApprovalPending_dbus_property(self):
2067
1904
return dbus.Boolean(bool(self.approvals_pending))
2068
1905
2069
1906
# ApprovedByDefault - property
2070
1907
@dbus_service_property(_interface,
2071
1908
signature="b",
2074
1911
if value is None: # get
2075
1912
return dbus.Boolean(self.approved_by_default)
2076
1913
self.approved_by_default = bool(value)
2077
1914
2078
1915
# ApprovalDelay - property
2079
1916
@dbus_service_property(_interface,
2080
1917
signature="t",
2084
1921
return dbus.UInt64(self.approval_delay.total_seconds()
2085
1922
* 1000)
2086
1923
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2087
1924
2088
1925
# ApprovalDuration - property
2089
1926
@dbus_service_property(_interface,
2090
1927
signature="t",
2094
1931
return dbus.UInt64(self.approval_duration.total_seconds()
2095
1932
* 1000)
2096
1933
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2097
1934
2098
1935
# Name - property
2099
1936
@dbus_annotations(
2100
1937
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2101
1938
@dbus_service_property(_interface, signature="s", access="read")
2102
1939
def Name_dbus_property(self):
2103
1940
return dbus.String(self.name)
2104
2105
# KeyID - property
2106
@dbus_annotations(
2107
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2108
@dbus_service_property(_interface, signature="s", access="read")
2109
def KeyID_dbus_property(self):
2110
return dbus.String(self.key_id)
2111
1941
2112
1942
# Fingerprint - property
2113
1943
@dbus_annotations(
2114
1944
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2115
1945
@dbus_service_property(_interface, signature="s", access="read")
2116
1946
def Fingerprint_dbus_property(self):
2117
1947
return dbus.String(self.fingerprint)
2118
1948
2119
1949
# Host - property
2120
1950
@dbus_service_property(_interface,
2121
1951
signature="s",
2124
1954
if value is None: # get
2125
1955
return dbus.String(self.host)
2126
1956
self.host = str(value)
2127
1957
2128
1958
# Created - property
2129
1959
@dbus_annotations(
2130
1960
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2131
1961
@dbus_service_property(_interface, signature="s", access="read")
2132
1962
def Created_dbus_property(self):
2133
1963
return datetime_to_dbus(self.created)
2134
1964
2135
1965
# LastEnabled - property
2136
1966
@dbus_service_property(_interface, signature="s", access="read")
2137
1967
def LastEnabled_dbus_property(self):
2138
1968
return datetime_to_dbus(self.last_enabled)
2139
1969
2140
1970
# Enabled - property
2141
1971
@dbus_service_property(_interface,
2142
1972
signature="b",
2148
1978
self.enable()
2149
1979
else:
2150
1980
self.disable()
2151
1981
2152
1982
# LastCheckedOK - property
2153
1983
@dbus_service_property(_interface,
2154
1984
signature="s",
2158
1988
self.checked_ok()
2159
1989
return
2160
1990
return datetime_to_dbus(self.last_checked_ok)
2161
1991
2162
1992
# LastCheckerStatus - property
2163
1993
@dbus_service_property(_interface, signature="n", access="read")
2164
1994
def LastCheckerStatus_dbus_property(self):
2165
1995
return dbus.Int16(self.last_checker_status)
2166
1996
2167
1997
# Expires - property
2168
1998
@dbus_service_property(_interface, signature="s", access="read")
2169
1999
def Expires_dbus_property(self):
2170
2000
return datetime_to_dbus(self.expires)
2171
2001
2172
2002
# LastApprovalRequest - property
2173
2003
@dbus_service_property(_interface, signature="s", access="read")
2174
2004
def LastApprovalRequest_dbus_property(self):
2175
2005
return datetime_to_dbus(self.last_approval_request)
2176
2006
2177
2007
# Timeout - property
2178
2008
@dbus_service_property(_interface,
2179
2009
signature="t",
2194
2024
if (getattr(self, "disable_initiator_tag", None)
2195
2025
is None):
2196
2026
return
2197
GLib.source_remove(self.disable_initiator_tag)
2198
self.disable_initiator_tag = GLib.timeout_add(
2027
gobject.source_remove(self.disable_initiator_tag)
2028
self.disable_initiator_tag = gobject.timeout_add(
2199
2029
int((self.expires - now).total_seconds() * 1000),
2200
2030
self.disable)
2201
2031
2202
2032
# ExtendedTimeout - property
2203
2033
@dbus_service_property(_interface,
2204
2034
signature="t",
2208
2038
return dbus.UInt64(self.extended_timeout.total_seconds()
2209
2039
* 1000)
2210
2040
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2211
2041
2212
2042
# Interval - property
2213
2043
@dbus_service_property(_interface,
2214
2044
signature="t",
2221
2051
return
2222
2052
if self.enabled:
2223
2053
# Reschedule checker run
2224
GLib.source_remove(self.checker_initiator_tag)
2225
self.checker_initiator_tag = GLib.timeout_add(
2054
gobject.source_remove(self.checker_initiator_tag)
2055
self.checker_initiator_tag = gobject.timeout_add(
2226
2056
value, self.start_checker)
2227
self.start_checker() # Start one now, too
2228
2057
self.start_checker() # Start one now, too
2058
2229
2059
# Checker - property
2230
2060
@dbus_service_property(_interface,
2231
2061
signature="s",
2234
2064
if value is None: # get
2235
2065
return dbus.String(self.checker_command)
2236
2066
self.checker_command = str(value)
2237
2067
2238
2068
# CheckerRunning - property
2239
2069
@dbus_service_property(_interface,
2240
2070
signature="b",
2246
2076
self.start_checker()
2247
2077
else:
2248
2078
self.stop_checker()
2249
2079
2250
2080
# ObjectPath - property
2251
2081
@dbus_annotations(
2252
2082
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2253
2083
"org.freedesktop.DBus.Deprecated": "true"})
2254
2084
@dbus_service_property(_interface, signature="o", access="read")
2255
2085
def ObjectPath_dbus_property(self):
2256
return self.dbus_object_path # is already a dbus.ObjectPath
2257
2086
return self.dbus_object_path # is already a dbus.ObjectPath
2087
2258
2088
# Secret = property
2259
2089
@dbus_annotations(
2260
2090
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2265
2095
byte_arrays=True)
2266
2096
def Secret_dbus_property(self, value):
2267
2097
self.secret = bytes(value)
2268
2098
2269
2099
del _interface
2270
2100
2271
2101
2272
class ProxyClient:
2273
def __init__(self, child_pipe, key_id, fpr, address):
2102
class ProxyClient(object):
2103
def __init__(self, child_pipe, fpr, address):
2274
2104
self._pipe = child_pipe
2275
self._pipe.send(('init', key_id, fpr, address))
2105
self._pipe.send(('init', fpr, address))
2276
2106
if not self._pipe.recv():
2277
raise KeyError(key_id or fpr)
2278
2107
raise KeyError(fpr)
2108
2279
2109
def __getattribute__(self, name):
2280
2110
if name == '_pipe':
2281
2111
return super(ProxyClient, self).__getattribute__(name)
2284
2114
if data[0] == 'data':
2285
2115
return data[1]
2286
2116
if data[0] == 'function':
2287
2117
2288
2118
def func(*args, **kwargs):
2289
2119
self._pipe.send(('funcall', name, args, kwargs))
2290
2120
return self._pipe.recv()[1]
2291
2121
2292
2122
return func
2293
2123
2294
2124
def __setattr__(self, name, value):
2295
2125
if name == '_pipe':
2296
2126
return super(ProxyClient, self).__setattr__(name, value)
2299
2129
2300
2130
class ClientHandler(socketserver.BaseRequestHandler, object):
2301
2131
"""A class to handle client connections.
2302
2132
2303
2133
Instantiated once for each connection to handle it.
2304
2134
Note: This will run in its own forked process."""
2305
2135
2306
2136
def handle(self):
2307
2137
with contextlib.closing(self.server.child_pipe) as child_pipe:
2308
2138
logger.info("TCP connection from: %s",
2309
2139
str(self.client_address))
2310
2140
logger.debug("Pipe FD: %d",
2311
2141
self.server.child_pipe.fileno())
2312
2142
2313
2143
session = gnutls.ClientSession(self.request)
2314
2315
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2316
# "+AES-256-CBC", "+SHA1",
2317
# "+COMP-NULL", "+CTYPE-OPENPGP",
2318
# "+DHE-DSS"))
2144
2145
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2146
# "+AES-256-CBC", "+SHA1",
2147
# "+COMP-NULL", "+CTYPE-OPENPGP",
2148
# "+DHE-DSS"))
2319
2149
# Use a fallback default, since this MUST be set.
2320
2150
priority = self.server.gnutls_priority
2321
2151
if priority is None:
2322
2152
priority = "NORMAL"
2323
gnutls.priority_set_direct(session,
2324
priority.encode("utf-8"), None)
2325
2153
gnutls.priority_set_direct(session._c_object, priority,
2154
None)
2155
2326
2156
# Start communication using the Mandos protocol
2327
2157
# Get protocol number
2328
2158
line = self.request.makefile().readline()
2333
2163
except (ValueError, IndexError, RuntimeError) as error:
2334
2164
logger.error("Unknown protocol version: %s", error)
2335
2165
return
2336
2166
2337
2167
# Start GnuTLS connection
2338
2168
try:
2339
2169
session.handshake()
2343
2173
# established. Just abandon the request.
2344
2174
return
2345
2175
logger.debug("Handshake succeeded")
2346
2176
2347
2177
approval_required = False
2348
2178
try:
2349
if gnutls.has_rawpk:
2350
fpr = b""
2351
try:
2352
key_id = self.key_id(
2353
self.peer_certificate(session))
2354
except (TypeError, gnutls.Error) as error:
2355
logger.warning("Bad certificate: %s", error)
2356
return
2357
logger.debug("Key ID: %s",
2358
key_id.decode("utf-8",
2359
errors="replace"))
2360
2361
else:
2362
key_id = b""
2363
try:
2364
fpr = self.fingerprint(
2365
self.peer_certificate(session))
2366
except (TypeError, gnutls.Error) as error:
2367
logger.warning("Bad certificate: %s", error)
2368
return
2369
logger.debug("Fingerprint: %s", fpr)
2370
2371
try:
2372
client = ProxyClient(child_pipe, key_id, fpr,
2179
try:
2180
fpr = self.fingerprint(
2181
self.peer_certificate(session))
2182
except (TypeError, gnutls.Error) as error:
2183
logger.warning("Bad certificate: %s", error)
2184
return
2185
logger.debug("Fingerprint: %s", fpr)
2186
2187
try:
2188
client = ProxyClient(child_pipe, fpr,
2373
2189
self.client_address)
2374
2190
except KeyError:
2375
2191
return
2376
2192
2377
2193
if client.approval_delay:
2378
2194
delay = client.approval_delay
2379
2195
client.approvals_pending += 1
2380
2196
approval_required = True
2381
2197
2382
2198
while True:
2383
2199
if not client.enabled:
2384
2200
logger.info("Client %s is disabled",
2387
2203
# Emit D-Bus signal
2388
2204
client.Rejected("Disabled")
2389
2205
return
2390
2206
2391
2207
if client.approved or not client.approval_delay:
2392
# We are approved or approval is disabled
2208
#We are approved or approval is disabled
2393
2209
break
2394
2210
elif client.approved is None:
2395
2211
logger.info("Client %s needs approval",
2406
2222
# Emit D-Bus signal
2407
2223
client.Rejected("Denied")
2408
2224
return
2409
2410
# wait until timeout or approved
2225
2226
#wait until timeout or approved
2411
2227
time = datetime.datetime.now()
2412
2228
client.changedstate.acquire()
2413
2229
client.changedstate.wait(delay.total_seconds())
2426
2242
break
2427
2243
else:
2428
2244
delay -= time2 - time
2429
2245
2430
2246
try:
2431
2247
session.send(client.secret)
2432
2248
except gnutls.Error as error:
2433
2249
logger.warning("gnutls send failed",
2434
exc_info=error)
2250
exc_info = error)
2435
2251
return
2436
2252
2437
2253
logger.info("Sending secret to %s", client.name)
2438
2254
# bump the timeout using extended_timeout
2439
2255
client.bump_timeout(client.extended_timeout)
2440
2256
if self.server.use_dbus:
2441
2257
# Emit D-Bus signal
2442
2258
client.GotSecret()
2443
2259
2444
2260
finally:
2445
2261
if approval_required:
2446
2262
client.approvals_pending -= 1
2449
2265
except gnutls.Error as error:
2450
2266
logger.warning("GnuTLS bye failed",
2451
2267
exc_info=error)
2452
2268
2453
2269
@staticmethod
2454
2270
def peer_certificate(session):
2455
"Return the peer's certificate as a bytestring"
2456
try:
2457
cert_type = gnutls.certificate_type_get2(
2458
session, gnutls.CTYPE_PEERS)
2459
except AttributeError:
2460
cert_type = gnutls.certificate_type_get(session)
2461
if gnutls.has_rawpk:
2462
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2463
else:
2464
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2465
# If not a valid certificate type...
2466
if cert_type not in valid_cert_types:
2467
logger.info("Cert type %r not in %r", cert_type,
2468
valid_cert_types)
2271
"Return the peer's OpenPGP certificate as a bytestring"
2272
# If not an OpenPGP certificate...
2273
if (gnutls.certificate_type_get(session._c_object)
2274
!= gnutls.CRT_OPENPGP):
2469
2275
# ...return invalid data
2470
2276
return b""
2471
2277
list_size = ctypes.c_uint(1)
2472
2278
cert_list = (gnutls.certificate_get_peers
2473
(session, ctypes.byref(list_size)))
2279
(session._c_object, ctypes.byref(list_size)))
2474
2280
if not bool(cert_list) and list_size.value != 0:
2475
2281
raise gnutls.Error("error getting peer certificate")
2476
2282
if list_size.value == 0:
2477
2283
return None
2478
2284
cert = cert_list[0]
2479
2285
return ctypes.string_at(cert.data, cert.size)
2480
2481
@staticmethod
2482
def key_id(certificate):
2483
"Convert a certificate bytestring to a hexdigit key ID"
2484
# New GnuTLS "datum" with the public key
2485
datum = gnutls.datum_t(
2486
ctypes.cast(ctypes.c_char_p(certificate),
2487
ctypes.POINTER(ctypes.c_ubyte)),
2488
ctypes.c_uint(len(certificate)))
2489
# XXX all these need to be created in the gnutls "module"
2490
# New empty GnuTLS certificate
2491
pubkey = gnutls.pubkey_t()
2492
gnutls.pubkey_init(ctypes.byref(pubkey))
2493
# Import the raw public key into the certificate
2494
gnutls.pubkey_import(pubkey,
2495
ctypes.byref(datum),
2496
gnutls.X509_FMT_DER)
2497
# New buffer for the key ID
2498
buf = ctypes.create_string_buffer(32)
2499
buf_len = ctypes.c_size_t(len(buf))
2500
# Get the key ID from the raw public key into the buffer
2501
gnutls.pubkey_get_key_id(
2502
pubkey,
2503
gnutls.KEYID_USE_SHA256,
2504
ctypes.cast(ctypes.byref(buf),
2505
ctypes.POINTER(ctypes.c_ubyte)),
2506
ctypes.byref(buf_len))
2507
# Deinit the certificate
2508
gnutls.pubkey_deinit(pubkey)
2509
2510
# Convert the buffer to a Python bytestring
2511
key_id = ctypes.string_at(buf, buf_len.value)
2512
# Convert the bytestring to hexadecimal notation
2513
hex_key_id = binascii.hexlify(key_id).upper()
2514
return hex_key_id
2515
2286
2516
2287
@staticmethod
2517
2288
def fingerprint(openpgp):
2518
2289
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2533
2304
ctypes.byref(crtverify))
2534
2305
if crtverify.value != 0:
2535
2306
gnutls.openpgp_crt_deinit(crt)
2536
raise gnutls.CertificateSecurityError(code
2537
=crtverify.value)
2307
raise gnutls.CertificateSecurityError("Verify failed")
2538
2308
# New buffer for the fingerprint
2539
2309
buf = ctypes.create_string_buffer(20)
2540
2310
buf_len = ctypes.c_size_t()
2550
2320
return hex_fpr
2551
2321
2552
2322
2553
class MultiprocessingMixIn:
2323
class MultiprocessingMixIn(object):
2554
2324
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2555
2325
2556
2326
def sub_process_main(self, request, address):
2557
2327
try:
2558
2328
self.finish_request(request, address)
2559
2329
except Exception:
2560
2330
self.handle_error(request, address)
2561
2331
self.close_request(request)
2562
2332
2563
2333
def process_request(self, request, address):
2564
2334
"""Start a new process to process the request."""
2565
proc = multiprocessing.Process(target=self.sub_process_main,
2566
args=(request, address))
2335
proc = multiprocessing.Process(target = self.sub_process_main,
2336
args = (request, address))
2567
2337
proc.start()
2568
2338
return proc
2569
2339
2570
2340
2571
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2341
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2572
2342
""" adds a pipe to the MixIn """
2573
2343
2574
2344
def process_request(self, request, client_address):
2575
2345
"""Overrides and wraps the original process_request().
2576
2346
2577
2347
This function creates a new pipe in self.pipe
2578
2348
"""
2579
2349
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2580
2350
2581
2351
proc = MultiprocessingMixIn.process_request(self, request,
2582
2352
client_address)
2583
2353
self.child_pipe.close()
2584
2354
self.add_pipe(parent_pipe, proc)
2585
2355
2586
2356
def add_pipe(self, parent_pipe, proc):
2587
2357
"""Dummy function; override as necessary"""
2588
2358
raise NotImplementedError()
2589
2359
2590
2360
2591
2361
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2592
socketserver.TCPServer):
2362
socketserver.TCPServer, object):
2593
2363
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2594
2364
2595
2365
Attributes:
2596
2366
enabled: Boolean; whether this server is activated yet
2597
2367
interface: None or a network interface name (string)
2598
2368
use_ipv6: Boolean; to use IPv6 or not
2599
2369
"""
2600
2370
2601
2371
def __init__(self, server_address, RequestHandlerClass,
2602
2372
interface=None,
2603
2373
use_ipv6=True,
2613
2383
self.socketfd = socketfd
2614
2384
# Save the original socket.socket() function
2615
2385
self.socket_socket = socket.socket
2616
2617
2386
# To implement --socket, we monkey patch socket.socket.
2618
#
2387
#
2619
2388
# (When socketserver.TCPServer is a new-style class, we
2620
2389
# could make self.socket into a property instead of monkey
2621
2390
# patching socket.socket.)
2622
#
2391
#
2623
2392
# Create a one-time-only replacement for socket.socket()
2624
2393
@functools.wraps(socket.socket)
2625
2394
def socket_wrapper(*args, **kwargs):
2637
2406
# socket_wrapper(), if socketfd was set.
2638
2407
socketserver.TCPServer.__init__(self, server_address,
2639
2408
RequestHandlerClass)
2640
2409
2641
2410
def server_bind(self):
2642
2411
"""This overrides the normal server_bind() function
2643
2412
to bind to an interface if one was specified, and also NOT to
2644
2413
bind to an address or port if they were not specified."""
2645
global SO_BINDTODEVICE
2646
2414
if self.interface is not None:
2647
2415
if SO_BINDTODEVICE is None:
2648
# Fall back to a hard-coded value which seems to be
2649
# common enough.
2650
logger.warning("SO_BINDTODEVICE not found, trying 25")
2651
SO_BINDTODEVICE = 25
2652
try:
2653
self.socket.setsockopt(
2654
socket.SOL_SOCKET, SO_BINDTODEVICE,
2655
(self.interface + "\0").encode("utf-8"))
2656
except socket.error as error:
2657
if error.errno == errno.EPERM:
2658
logger.error("No permission to bind to"
2659
" interface %s", self.interface)
2660
elif error.errno == errno.ENOPROTOOPT:
2661
logger.error("SO_BINDTODEVICE not available;"
2662
" cannot bind to interface %s",
2663
self.interface)
2664
elif error.errno == errno.ENODEV:
2665
logger.error("Interface %s does not exist,"
2666
" cannot bind", self.interface)
2667
else:
2668
raise
2416
logger.error("SO_BINDTODEVICE does not exist;"
2417
" cannot bind to interface %s",
2418
self.interface)
2419
else:
2420
try:
2421
self.socket.setsockopt(
2422
socket.SOL_SOCKET, SO_BINDTODEVICE,
2423
(self.interface + "\0").encode("utf-8"))
2424
except socket.error as error:
2425
if error.errno == errno.EPERM:
2426
logger.error("No permission to bind to"
2427
" interface %s", self.interface)
2428
elif error.errno == errno.ENOPROTOOPT:
2429
logger.error("SO_BINDTODEVICE not available;"
2430
" cannot bind to interface %s",
2431
self.interface)
2432
elif error.errno == errno.ENODEV:
2433
logger.error("Interface %s does not exist,"
2434
" cannot bind", self.interface)
2435
else:
2436
raise
2669
2437
# Only bind(2) the socket if we really need to.
2670
2438
if self.server_address[0] or self.server_address[1]:
2671
if self.server_address[1]:
2672
self.allow_reuse_address = True
2673
2439
if not self.server_address[0]:
2674
2440
if self.address_family == socket.AF_INET6:
2675
any_address = "::" # in6addr_any
2441
any_address = "::" # in6addr_any
2676
2442
else:
2677
any_address = "0.0.0.0" # INADDR_ANY
2443
any_address = "0.0.0.0" # INADDR_ANY
2678
2444
self.server_address = (any_address,
2679
2445
self.server_address[1])
2680
2446
elif not self.server_address[1]:
2690
2456
2691
2457
class MandosServer(IPv6_TCPServer):
2692
2458
"""Mandos server.
2693
2459
2694
2460
Attributes:
2695
2461
clients: set of Client objects
2696
2462
gnutls_priority GnuTLS priority string
2697
2463
use_dbus: Boolean; to emit D-Bus signals or not
2698
2699
Assumes a GLib.MainLoop event loop.
2464
2465
Assumes a gobject.MainLoop event loop.
2700
2466
"""
2701
2467
2702
2468
def __init__(self, server_address, RequestHandlerClass,
2703
2469
interface=None,
2704
2470
use_ipv6=True,
2714
2480
self.gnutls_priority = gnutls_priority
2715
2481
IPv6_TCPServer.__init__(self, server_address,
2716
2482
RequestHandlerClass,
2717
interface=interface,
2718
use_ipv6=use_ipv6,
2719
socketfd=socketfd)
2720
2483
interface = interface,
2484
use_ipv6 = use_ipv6,
2485
socketfd = socketfd)
2486
2721
2487
def server_activate(self):
2722
2488
if self.enabled:
2723
2489
return socketserver.TCPServer.server_activate(self)
2724
2490
2725
2491
def enable(self):
2726
2492
self.enabled = True
2727
2493
2728
2494
def add_pipe(self, parent_pipe, proc):
2729
2495
# Call "handle_ipc" for both data and EOF events
2730
GLib.io_add_watch(
2731
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2732
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2496
gobject.io_add_watch(
2497
parent_pipe.fileno(),
2498
gobject.IO_IN | gobject.IO_HUP,
2733
2499
functools.partial(self.handle_ipc,
2734
parent_pipe=parent_pipe,
2735
proc=proc))
2736
2500
parent_pipe = parent_pipe,
2501
proc = proc))
2502
2737
2503
def handle_ipc(self, source, condition,
2738
2504
parent_pipe=None,
2739
proc=None,
2505
proc = None,
2740
2506
client_object=None):
2741
2507
# error, or the other end of multiprocessing.Pipe has closed
2742
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2508
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2743
2509
# Wait for other process to exit
2744
2510
proc.join()
2745
2511
return False
2746
2512
2747
2513
# Read a request from the child
2748
2514
request = parent_pipe.recv()
2749
2515
command = request[0]
2750
2516
2751
2517
if command == 'init':
2752
key_id = request[1].decode("ascii")
2753
fpr = request[2].decode("ascii")
2754
address = request[3]
2755
2756
for c in self.clients.values():
2757
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2758
"27AE41E4649B934CA495991B7852B855"):
2759
continue
2760
if key_id and c.key_id == key_id:
2761
client = c
2762
break
2763
if fpr and c.fingerprint == fpr:
2518
fpr = request[1]
2519
address = request[2]
2520
2521
for c in self.clients.itervalues():
2522
if c.fingerprint == fpr:
2764
2523
client = c
2765
2524
break
2766
2525
else:
2767
logger.info("Client not found for key ID: %s, address"
2768
": %s", key_id or fpr, address)
2526
logger.info("Client not found for fingerprint: %s, ad"
2527
"dress: %s", fpr, address)
2769
2528
if self.use_dbus:
2770
2529
# Emit D-Bus signal
2771
mandos_dbus_service.ClientNotFound(key_id or fpr,
2530
mandos_dbus_service.ClientNotFound(fpr,
2772
2531
address[0])
2773
2532
parent_pipe.send(False)
2774
2533
return False
2775
2776
GLib.io_add_watch(
2777
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2778
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2534
2535
gobject.io_add_watch(
2536
parent_pipe.fileno(),
2537
gobject.IO_IN | gobject.IO_HUP,
2779
2538
functools.partial(self.handle_ipc,
2780
parent_pipe=parent_pipe,
2781
proc=proc,
2782
client_object=client))
2539
parent_pipe = parent_pipe,
2540
proc = proc,
2541
client_object = client))
2783
2542
parent_pipe.send(True)
2784
2543
# remove the old hook in favor of the new above hook on
2785
2544
# same fileno
2788
2547
funcname = request[1]
2789
2548
args = request[2]
2790
2549
kwargs = request[3]
2791
2550
2792
2551
parent_pipe.send(('data', getattr(client_object,
2793
2552
funcname)(*args,
2794
2553
**kwargs)))
2795
2554
2796
2555
if command == 'getattr':
2797
2556
attrname = request[1]
2798
2557
if isinstance(client_object.__getattribute__(attrname),
2799
collections.abc.Callable):
2558
collections.Callable):
2800
2559
parent_pipe.send(('function', ))
2801
2560
else:
2802
2561
parent_pipe.send((
2803
2562
'data', client_object.__getattribute__(attrname)))
2804
2563
2805
2564
if command == 'setattr':
2806
2565
attrname = request[1]
2807
2566
value = request[2]
2808
2567
setattr(client_object, attrname, value)
2809
2568
2810
2569
return True
2811
2570
2812
2571
2813
2572
def rfc3339_duration_to_delta(duration):
2814
2573
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2815
2816
>>> timedelta = datetime.timedelta
2817
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2818
True
2819
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2820
True
2821
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2822
True
2823
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2824
True
2825
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2826
True
2827
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2828
True
2829
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2830
True
2831
>>> del timedelta
2574
2575
>>> rfc3339_duration_to_delta("P7D")
2576
datetime.timedelta(7)
2577
>>> rfc3339_duration_to_delta("PT60S")
2578
datetime.timedelta(0, 60)
2579
>>> rfc3339_duration_to_delta("PT60M")
2580
datetime.timedelta(0, 3600)
2581
>>> rfc3339_duration_to_delta("PT24H")
2582
datetime.timedelta(1)
2583
>>> rfc3339_duration_to_delta("P1W")
2584
datetime.timedelta(7)
2585
>>> rfc3339_duration_to_delta("PT5M30S")
2586
datetime.timedelta(0, 330)
2587
>>> rfc3339_duration_to_delta("P1DT3M20S")
2588
datetime.timedelta(1, 200)
2832
2589
"""
2833
2590
2834
2591
# Parsing an RFC 3339 duration with regular expressions is not
2835
2592
# possible - there would have to be multiple places for the same
2836
2593
# values, like seconds. The current code, while more esoteric, is
2837
2594
# cleaner without depending on a parsing library. If Python had a
2838
2595
# built-in library for parsing we would use it, but we'd like to
2839
2596
# avoid excessive use of external libraries.
2840
2597
2841
2598
# New type for defining tokens, syntax, and semantics all-in-one
2842
2599
Token = collections.namedtuple("Token", (
2843
2600
"regexp", # To match token; if "value" is not None, must have
2876
2633
frozenset((token_year, token_month,
2877
2634
token_day, token_time,
2878
2635
token_week)))
2879
# Define starting values:
2880
# Value so far
2881
value = datetime.timedelta()
2636
# Define starting values
2637
value = datetime.timedelta() # Value so far
2882
2638
found_token = None
2883
# Following valid tokens
2884
followers = frozenset((token_duration, ))
2885
# String left to parse
2886
s = duration
2639
followers = frozenset((token_duration, )) # Following valid tokens
2640
s = duration # String left to parse
2887
2641
# Loop until end token is found
2888
2642
while found_token is not token_end:
2889
2643
# Search for any currently valid tokens
2913
2667
2914
2668
def string_to_delta(interval):
2915
2669
"""Parse a string and return a datetime.timedelta
2916
2917
>>> string_to_delta('7d') == datetime.timedelta(7)
2918
True
2919
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2920
True
2921
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2922
True
2923
>>> string_to_delta('24h') == datetime.timedelta(1)
2924
True
2925
>>> string_to_delta('1w') == datetime.timedelta(7)
2926
True
2927
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2928
True
2670
2671
>>> string_to_delta('7d')
2672
datetime.timedelta(7)
2673
>>> string_to_delta('60s')
2674
datetime.timedelta(0, 60)
2675
>>> string_to_delta('60m')
2676
datetime.timedelta(0, 3600)
2677
>>> string_to_delta('24h')
2678
datetime.timedelta(1)
2679
>>> string_to_delta('1w')
2680
datetime.timedelta(7)
2681
>>> string_to_delta('5m 30s')
2682
datetime.timedelta(0, 330)
2929
2683
"""
2930
2684
2931
2685
try:
2932
2686
return rfc3339_duration_to_delta(interval)
2933
2687
except ValueError:
2934
2688
pass
2935
2689
2936
2690
timevalue = datetime.timedelta(0)
2937
2691
for s in interval.split():
2938
2692
try:
2956
2710
return timevalue
2957
2711
2958
2712
2959
def daemon(nochdir=False, noclose=False):
2713
def daemon(nochdir = False, noclose = False):
2960
2714
"""See daemon(3). Standard BSD Unix function.
2961
2715
2962
2716
This should really exist as os.daemon, but it doesn't (yet)."""
2963
2717
if os.fork():
2964
2718
sys.exit()
2982
2736
2983
2737
2984
2738
def main():
2985
2739
2986
2740
##################################################################
2987
2741
# Parsing of options, both command line and config file
2988
2742
2989
2743
parser = argparse.ArgumentParser()
2990
2744
parser.add_argument("-v", "--version", action="version",
2991
version="%(prog)s {}".format(version),
2745
version = "%(prog)s {}".format(version),
2992
2746
help="show version number and exit")
2993
2747
parser.add_argument("-i", "--interface", metavar="IF",
2994
2748
help="Bind to interface IF")
3030
2784
parser.add_argument("--no-zeroconf", action="store_false",
3031
2785
dest="zeroconf", help="Do not use Zeroconf",
3032
2786
default=None)
3033
2787
3034
2788
options = parser.parse_args()
3035
2789
2790
if options.check:
2791
import doctest
2792
fail_count, test_count = doctest.testmod()
2793
sys.exit(os.EX_OK if fail_count == 0 else 1)
2794
3036
2795
# Default values for config file for server-global settings
3037
if gnutls.has_rawpk:
3038
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3039
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3040
else:
3041
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3042
":+SIGN-DSA-SHA256")
3043
server_defaults = {"interface": "",
3044
"address": "",
3045
"port": "",
3046
"debug": "False",
3047
"priority": priority,
3048
"servicename": "Mandos",
3049
"use_dbus": "True",
3050
"use_ipv6": "True",
3051
"debuglevel": "",
3052
"restore": "True",
3053
"socket": "",
3054
"statedir": "/var/lib/mandos",
3055
"foreground": "False",
3056
"zeroconf": "True",
3057
}
3058
del priority
3059
2796
server_defaults = { "interface": "",
2797
"address": "",
2798
"port": "",
2799
"debug": "False",
2800
"priority":
2801
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2802
":+SIGN-DSA-SHA256",
2803
"servicename": "Mandos",
2804
"use_dbus": "True",
2805
"use_ipv6": "True",
2806
"debuglevel": "",
2807
"restore": "True",
2808
"socket": "",
2809
"statedir": "/var/lib/mandos",
2810
"foreground": "False",
2811
"zeroconf": "True",
2812
}
2813
3060
2814
# Parse config file for server-global settings
3061
server_config = configparser.ConfigParser(server_defaults)
2815
server_config = configparser.SafeConfigParser(server_defaults)
3062
2816
del server_defaults
3063
2817
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3064
# Convert the ConfigParser object to a dict
2818
# Convert the SafeConfigParser object to a dict
3065
2819
server_settings = server_config.defaults()
3066
2820
# Use the appropriate methods on the non-string config options
3067
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3068
"foreground", "zeroconf"):
2821
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3069
2822
server_settings[option] = server_config.getboolean("DEFAULT",
3070
2823
option)
3071
2824
if server_settings["port"]:
3081
2834
server_settings["socket"] = os.dup(server_settings
3082
2835
["socket"])
3083
2836
del server_config
3084
2837
3085
2838
# Override the settings from the config file with command line
3086
2839
# options, if set.
3087
2840
for option in ("interface", "address", "port", "debug",
3105
2858
if server_settings["debug"]:
3106
2859
server_settings["foreground"] = True
3107
2860
# Now we have our good server settings in "server_settings"
3108
2861
3109
2862
##################################################################
3110
2863
3111
2864
if (not server_settings["zeroconf"]
3112
2865
and not (server_settings["port"]
3113
2866
or server_settings["socket"] != "")):
3114
2867
parser.error("Needs port or socket to work without Zeroconf")
3115
2868
3116
2869
# For convenience
3117
2870
debug = server_settings["debug"]
3118
2871
debuglevel = server_settings["debuglevel"]
3122
2875
stored_state_file)
3123
2876
foreground = server_settings["foreground"]
3124
2877
zeroconf = server_settings["zeroconf"]
3125
2878
3126
2879
if debug:
3127
2880
initlogger(debug, logging.DEBUG)
3128
2881
else:
3131
2884
else:
3132
2885
level = getattr(logging, debuglevel.upper())
3133
2886
initlogger(debug, level)
3134
2887
3135
2888
if server_settings["servicename"] != "Mandos":
3136
2889
syslogger.setFormatter(
3137
2890
logging.Formatter('Mandos ({}) [%(process)d]:'
3138
2891
' %(levelname)s: %(message)s'.format(
3139
2892
server_settings["servicename"])))
3140
2893
3141
2894
# Parse config file with clients
3142
client_config = configparser.ConfigParser(Client.client_defaults)
2895
client_config = configparser.SafeConfigParser(Client
2896
.client_defaults)
3143
2897
client_config.read(os.path.join(server_settings["configdir"],
3144
2898
"clients.conf"))
3145
2899
3146
2900
global mandos_dbus_service
3147
2901
mandos_dbus_service = None
3148
2902
3149
2903
socketfd = None
3150
2904
if server_settings["socket"] != "":
3151
2905
socketfd = server_settings["socket"]
3167
2921
except IOError as e:
3168
2922
logger.error("Could not open file %r", pidfilename,
3169
2923
exc_info=e)
3170
2924
3171
2925
for name, group in (("_mandos", "_mandos"),
3172
2926
("mandos", "mandos"),
3173
2927
("nobody", "nogroup")):
3183
2937
try:
3184
2938
os.setgid(gid)
3185
2939
os.setuid(uid)
3186
if debug:
3187
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3188
gid))
3189
2940
except OSError as error:
3190
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3191
.format(uid, gid, os.strerror(error.errno)))
3192
2941
if error.errno != errno.EPERM:
3193
2942
raise
3194
2943
3195
2944
if debug:
3196
2945
# Enable all possible GnuTLS debugging
3197
2946
3198
2947
# "Use a log level over 10 to enable all debugging options."
3199
2948
# - GnuTLS manual
3200
2949
gnutls.global_set_log_level(11)
3201
2950
3202
2951
@gnutls.log_func
3203
2952
def debug_gnutls(level, string):
3204
logger.debug("GnuTLS: %s",
3205
string[:-1].decode("utf-8",
3206
errors="replace"))
3207
2953
logger.debug("GnuTLS: %s", string[:-1])
2954
3208
2955
gnutls.global_set_log_function(debug_gnutls)
3209
2956
3210
2957
# Redirect stdin so all checkers get /dev/null
3211
2958
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3212
2959
os.dup2(null, sys.stdin.fileno())
3213
2960
if null > 2:
3214
2961
os.close(null)
3215
2962
3216
2963
# Need to fork before connecting to D-Bus
3217
2964
if not foreground:
3218
2965
# Close all input and output, do double fork, etc.
3219
2966
daemon()
3220
3221
if gi.version_info < (3, 10, 2):
3222
# multiprocessing will use threads, so before we use GLib we
3223
# need to inform GLib that threads will be used.
3224
GLib.threads_init()
3225
2967
2968
# multiprocessing will use threads, so before we use gobject we
2969
# need to inform gobject that threads will be used.
2970
gobject.threads_init()
2971
3226
2972
global main_loop
3227
2973
# From the Avahi example code
3228
2974
DBusGMainLoop(set_as_default=True)
3229
main_loop = GLib.MainLoop()
2975
main_loop = gobject.MainLoop()
3230
2976
bus = dbus.SystemBus()
3231
2977
# End of Avahi example code
3232
2978
if use_dbus:
3245
2991
if zeroconf:
3246
2992
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3247
2993
service = AvahiServiceToSyslog(
3248
name=server_settings["servicename"],
3249
servicetype="_mandos._tcp",
3250
protocol=protocol,
3251
bus=bus)
2994
name = server_settings["servicename"],
2995
servicetype = "_mandos._tcp",
2996
protocol = protocol,
2997
bus = bus)
3252
2998
if server_settings["interface"]:
3253
2999
service.interface = if_nametoindex(
3254
3000
server_settings["interface"].encode("utf-8"))
3255
3001
3256
3002
global multiprocessing_manager
3257
3003
multiprocessing_manager = multiprocessing.Manager()
3258
3004
3259
3005
client_class = Client
3260
3006
if use_dbus:
3261
client_class = functools.partial(ClientDBus, bus=bus)
3262
3007
client_class = functools.partial(ClientDBus, bus = bus)
3008
3263
3009
client_settings = Client.config_parser(client_config)
3264
3010
old_client_settings = {}
3265
3011
clients_data = {}
3266
3012
3267
3013
# This is used to redirect stdout and stderr for checker processes
3268
3014
global wnull
3269
wnull = open(os.devnull, "w") # A writable /dev/null
3015
wnull = open(os.devnull, "w") # A writable /dev/null
3270
3016
# Only used if server is running in foreground but not in debug
3271
3017
# mode
3272
3018
if debug or not foreground:
3273
3019
wnull.close()
3274
3020
3275
3021
# Get client data and settings from last running state.
3276
3022
if server_settings["restore"]:
3277
3023
try:
3278
3024
with open(stored_state_path, "rb") as stored_state:
3279
if sys.version_info.major == 2:
3280
clients_data, old_client_settings = pickle.load(
3281
stored_state)
3282
else:
3283
bytes_clients_data, bytes_old_client_settings = (
3284
pickle.load(stored_state, encoding="bytes"))
3285
# Fix bytes to strings
3286
# clients_data
3287
# .keys()
3288
clients_data = {(key.decode("utf-8")
3289
if isinstance(key, bytes)
3290
else key): value
3291
for key, value in
3292
bytes_clients_data.items()}
3293
del bytes_clients_data
3294
for key in clients_data:
3295
value = {(k.decode("utf-8")
3296
if isinstance(k, bytes) else k): v
3297
for k, v in
3298
clients_data[key].items()}
3299
clients_data[key] = value
3300
# .client_structure
3301
value["client_structure"] = [
3302
(s.decode("utf-8")
3303
if isinstance(s, bytes)
3304
else s) for s in
3305
value["client_structure"]]
3306
# .name, .host, and .checker_command
3307
for k in ("name", "host", "checker_command"):
3308
if isinstance(value[k], bytes):
3309
value[k] = value[k].decode("utf-8")
3310
if "key_id" not in value:
3311
value["key_id"] = ""
3312
elif "fingerprint" not in value:
3313
value["fingerprint"] = ""
3314
# old_client_settings
3315
# .keys()
3316
old_client_settings = {
3317
(key.decode("utf-8")
3318
if isinstance(key, bytes)
3319
else key): value
3320
for key, value in
3321
bytes_old_client_settings.items()}
3322
del bytes_old_client_settings
3323
# .host and .checker_command
3324
for value in old_client_settings.values():
3325
for attribute in ("host", "checker_command"):
3326
if isinstance(value[attribute], bytes):
3327
value[attribute] = (value[attribute]
3328
.decode("utf-8"))
3025
clients_data, old_client_settings = pickle.load(
3026
stored_state)
3329
3027
os.remove(stored_state_path)
3330
3028
except IOError as e:
3331
3029
if e.errno == errno.ENOENT:
3339
3037
logger.warning("Could not load persistent state: "
3340
3038
"EOFError:",
3341
3039
exc_info=e)
3342
3040
3343
3041
with PGPEngine() as pgp:
3344
3042
for client_name, client in clients_data.items():
3345
3043
# Skip removed clients
3346
3044
if client_name not in client_settings:
3347
3045
continue
3348
3046
3349
3047
# Decide which value to use after restoring saved state.
3350
3048
# We have three different values: Old config file,
3351
3049
# new config file, and saved state.
3362
3060
client[name] = value
3363
3061
except KeyError:
3364
3062
pass
3365
3063
3366
3064
# Clients who has passed its expire date can still be
3367
3065
# enabled if its last checker was successful. A Client
3368
3066
# whose checker succeeded before we stored its state is
3401
3099
client_name))
3402
3100
client["secret"] = (client_settings[client_name]
3403
3101
["secret"])
3404
3102
3405
3103
# Add/remove clients based on new changes made to config
3406
3104
for client_name in (set(old_client_settings)
3407
3105
- set(client_settings)):
3409
3107
for client_name in (set(client_settings)
3410
3108
- set(old_client_settings)):
3411
3109
clients_data[client_name] = client_settings[client_name]
3412
3110
3413
3111
# Create all client objects
3414
3112
for client_name, client in clients_data.items():
3415
3113
tcp_server.clients[client_name] = client_class(
3416
name=client_name,
3417
settings=client,
3418
server_settings=server_settings)
3419
3114
name = client_name,
3115
settings = client,
3116
server_settings = server_settings)
3117
3420
3118
if not tcp_server.clients:
3421
3119
logger.warning("No clients defined")
3422
3120
3423
3121
if not foreground:
3424
3122
if pidfile is not None:
3425
3123
pid = os.getpid()
3431
3129
pidfilename, pid)
3432
3130
del pidfile
3433
3131
del pidfilename
3434
3435
for termsig in (signal.SIGHUP, signal.SIGTERM):
3436
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3437
lambda: main_loop.quit() and False)
3438
3132
3133
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
3134
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
3135
3439
3136
if use_dbus:
3440
3137
3441
3138
@alternate_dbus_interfaces(
3442
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3139
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3443
3140
class MandosDBusService(DBusObjectWithObjectManager):
3444
3141
"""A D-Bus proxy object"""
3445
3142
3446
3143
def __init__(self):
3447
3144
dbus.service.Object.__init__(self, bus, "/")
3448
3145
3449
3146
_interface = "se.recompile.Mandos"
3450
3147
3451
3148
@dbus.service.signal(_interface, signature="o")
3452
3149
def ClientAdded(self, objpath):
3453
3150
"D-Bus signal"
3454
3151
pass
3455
3152
3456
3153
@dbus.service.signal(_interface, signature="ss")
3457
def ClientNotFound(self, key_id, address):
3154
def ClientNotFound(self, fingerprint, address):
3458
3155
"D-Bus signal"
3459
3156
pass
3460
3157
3461
3158
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3462
3159
"true"})
3463
3160
@dbus.service.signal(_interface, signature="os")
3464
3161
def ClientRemoved(self, objpath, name):
3465
3162
"D-Bus signal"
3466
3163
pass
3467
3164
3468
3165
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3469
3166
"true"})
3470
3167
@dbus.service.method(_interface, out_signature="ao")
3471
3168
def GetAllClients(self):
3472
3169
"D-Bus method"
3473
3170
return dbus.Array(c.dbus_object_path for c in
3474
tcp_server.clients.values())
3475
3171
tcp_server.clients.itervalues())
3172
3476
3173
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3477
3174
"true"})
3478
3175
@dbus.service.method(_interface,
3480
3177
def GetAllClientsWithProperties(self):
3481
3178
"D-Bus method"
3482
3179
return dbus.Dictionary(
3483
{c.dbus_object_path: c.GetAll(
3180
{ c.dbus_object_path: c.GetAll(
3484
3181
"se.recompile.Mandos.Client")
3485
for c in tcp_server.clients.values()},
3182
for c in tcp_server.clients.itervalues() },
3486
3183
signature="oa{sv}")
3487
3184
3488
3185
@dbus.service.method(_interface, in_signature="o")
3489
3186
def RemoveClient(self, object_path):
3490
3187
"D-Bus method"
3491
for c in tcp_server.clients.values():
3188
for c in tcp_server.clients.itervalues():
3492
3189
if c.dbus_object_path == object_path:
3493
3190
del tcp_server.clients[c.name]
3494
3191
c.remove_from_connection()
3498
3195
self.client_removed_signal(c)
3499
3196
return
3500
3197
raise KeyError(object_path)
3501
3198
3502
3199
del _interface
3503
3200
3504
3201
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3505
out_signature="a{oa{sa{sv}}}")
3202
out_signature = "a{oa{sa{sv}}}")
3506
3203
def GetManagedObjects(self):
3507
3204
"""D-Bus method"""
3508
3205
return dbus.Dictionary(
3509
{client.dbus_object_path:
3510
dbus.Dictionary(
3511
{interface: client.GetAll(interface)
3512
for interface in
3513
client._get_all_interface_names()})
3514
for client in tcp_server.clients.values()})
3515
3206
{ client.dbus_object_path:
3207
dbus.Dictionary(
3208
{ interface: client.GetAll(interface)
3209
for interface in
3210
client._get_all_interface_names()})
3211
for client in tcp_server.clients.values()})
3212
3516
3213
def client_added_signal(self, client):
3517
3214
"""Send the new standard signal and the old signal"""
3518
3215
if use_dbus:
3520
3217
self.InterfacesAdded(
3521
3218
client.dbus_object_path,
3522
3219
dbus.Dictionary(
3523
{interface: client.GetAll(interface)
3524
for interface in
3525
client._get_all_interface_names()}))
3220
{ interface: client.GetAll(interface)
3221
for interface in
3222
client._get_all_interface_names()}))
3526
3223
# Old signal
3527
3224
self.ClientAdded(client.dbus_object_path)
3528
3225
3529
3226
def client_removed_signal(self, client):
3530
3227
"""Send the new standard signal and the old signal"""
3531
3228
if use_dbus:
3536
3233
# Old signal
3537
3234
self.ClientRemoved(client.dbus_object_path,
3538
3235
client.name)
3539
3236
3540
3237
mandos_dbus_service = MandosDBusService()
3541
3542
# Save modules to variables to exempt the modules from being
3543
# unloaded before the function registered with atexit() is run.
3544
mp = multiprocessing
3545
wn = wnull
3546
3238
3547
3239
def cleanup():
3548
3240
"Cleanup function; run on exit"
3549
3241
if zeroconf:
3550
3242
service.cleanup()
3551
3552
mp.active_children()
3553
wn.close()
3243
3244
multiprocessing.active_children()
3245
wnull.close()
3554
3246
if not (tcp_server.clients or client_settings):
3555
3247
return
3556
3248
3557
3249
# Store client before exiting. Secrets are encrypted with key
3558
3250
# based on what config file has. If config file is
3559
3251
# removed/edited, old secret will thus be unrecovable.
3560
3252
clients = {}
3561
3253
with PGPEngine() as pgp:
3562
for client in tcp_server.clients.values():
3254
for client in tcp_server.clients.itervalues():
3563
3255
key = client_settings[client.name]["secret"]
3564
3256
client.encrypted_secret = pgp.encrypt(client.secret,
3565
3257
key)
3566
3258
client_dict = {}
3567
3259
3568
3260
# A list of attributes that can not be pickled
3569
3261
# + secret.
3570
exclude = {"bus", "changedstate", "secret",
3571
"checker", "server_settings"}
3262
exclude = { "bus", "changedstate", "secret",
3263
"checker", "server_settings" }
3572
3264
for name, typ in inspect.getmembers(dbus.service
3573
3265
.Object):
3574
3266
exclude.add(name)
3575
3267
3576
3268
client_dict["encrypted_secret"] = (client
3577
3269
.encrypted_secret)
3578
3270
for attr in client.client_structure:
3579
3271
if attr not in exclude:
3580
3272
client_dict[attr] = getattr(client, attr)
3581
3273
3582
3274
clients[client.name] = client_dict
3583
3275
del client_settings[client.name]["secret"]
3584
3276
3585
3277
try:
3586
3278
with tempfile.NamedTemporaryFile(
3587
3279
mode='wb',
3589
3281
prefix='clients-',
3590
3282
dir=os.path.dirname(stored_state_path),
3591
3283
delete=False) as stored_state:
3592
pickle.dump((clients, client_settings), stored_state,
3593
protocol=2)
3284
pickle.dump((clients, client_settings), stored_state)
3594
3285
tempname = stored_state.name
3595
3286
os.rename(tempname, stored_state_path)
3596
3287
except (IOError, OSError) as e:
3606
3297
logger.warning("Could not save persistent state:",
3607
3298
exc_info=e)
3608
3299
raise
3609
3300
3610
3301
# Delete all clients, and settings from config
3611
3302
while tcp_server.clients:
3612
3303
name, client = tcp_server.clients.popitem()
3618
3309
if use_dbus:
3619
3310
mandos_dbus_service.client_removed_signal(client)
3620
3311
client_settings.clear()
3621
3312
3622
3313
atexit.register(cleanup)
3623
3624
for client in tcp_server.clients.values():
3314
3315
for client in tcp_server.clients.itervalues():
3625
3316
if use_dbus:
3626
3317
# Emit D-Bus signal for adding
3627
3318
mandos_dbus_service.client_added_signal(client)
3628
3319
# Need to initiate checking of clients
3629
3320
if client.enabled:
3630
3321
client.init_checker()
3631
3322
3632
3323
tcp_server.enable()
3633
3324
tcp_server.server_activate()
3634
3325
3635
3326
# Find out what port we got
3636
3327
if zeroconf:
3637
3328
service.port = tcp_server.socket.getsockname()[1]
3642
3333
else: # IPv4
3643
3334
logger.info("Now listening on address %r, port %d",
3644
3335
*tcp_server.socket.getsockname())
3645
3646
# service.interface = tcp_server.socket.getsockname()[3]
3647
3336
3337
#service.interface = tcp_server.socket.getsockname()[3]
3338
3648
3339
try:
3649
3340
if zeroconf:
3650
3341
# From the Avahi example code
3655
3346
cleanup()
3656
3347
sys.exit(1)
3657
3348
# End of Avahi example code
3658
3659
GLib.io_add_watch(
3660
GLib.IOChannel.unix_new(tcp_server.fileno()),
3661
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3662
lambda *args, **kwargs: (tcp_server.handle_request
3663
(*args[2:], **kwargs) or True))
3664
3349
3350
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3351
lambda *args, **kwargs:
3352
(tcp_server.handle_request
3353
(*args[2:], **kwargs) or True))
3354
3665
3355
logger.debug("Starting main loop")
3666
3356
main_loop.run()
3667
3357
except AvahiError as error:
3676
3366
# Must run before the D-Bus bus name gets deregistered
3677
3367
cleanup()
3678
3368
3679
3680
def should_only_run_tests():
3681
parser = argparse.ArgumentParser(add_help=False)
3682
parser.add_argument("--check", action='store_true')
3683
args, unknown_args = parser.parse_known_args()
3684
run_tests = args.check
3685
if run_tests:
3686
# Remove --check argument from sys.argv
3687
sys.argv[1:] = unknown_args
3688
return run_tests
3689
3690
# Add all tests from doctest strings
3691
def load_tests(loader, tests, none):
3692
import doctest
3693
tests.addTests(doctest.DocTestSuite())
3694
return tests
3695
3369
3696
3370
if __name__ == '__main__':
3697
try:
3698
if should_only_run_tests():
3699
# Call using ./mandos --check [--verbose]
3700
unittest.main()
3701
else:
3702
main()
3703
finally:
3704
logging.shutdown()
3371
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0