To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 825
- compare with another revision
- download diff
- download tarball
- view history from revision 825
- Committer: Teddy Hogeborn
- Date: 2016-03-07 23:39:36 UTC
- Revision ID: teddy@recompile.se-20160307233936-mhgpxhggamde443n
Server bug fix: Include CAP_SETGID so it does not run as root
* debian/mandos.postinst (configure): If old version was 1.7.4-1 or
1.7.4-1~bpo8+1, fix situation where clients.pickle file is owned by
root.
* mandos (main): Print debug info about setuid() and setgid()
* mandos.service ([Service]/CapabilityBoundingSet): Add "CAP_KILL
CAP_SETGID"; the latter is needed for setgid() to be allowed.
* debian/mandos.postinst (configure): If old version was 1.7.4-1 or
1.7.4-1~bpo8+1, fix situation where clients.pickle file is owned by
root.
* mandos (main): Print debug info about setuid() and setgid()
* mandos.service ([Service]/CapabilityBoundingSet): Add "CAP_KILL
CAP_SETGID"; the latter is needed for setgid() to be allowed.
- files added:
- bugs.xml
- debian/upstream
- network-hooks.d
- plugin-helpers
- files modified:
- .bzrignore
added
removed
mandos
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2011 Teddy Hogeborn
15
# Copyright © 2008-2011 Björn Påhlsson
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
import SocketServer as socketserver
37
from future_builtins import *
38
39
try:
40
import SocketServer as socketserver
41
except ImportError:
42
import socketserver
38
43
import socket
39
44
import argparse
40
45
import datetime
41
46
import errno
42
import gnutls.crypto
43
import gnutls.connection
44
import gnutls.errors
45
import gnutls.library.functions
46
import gnutls.library.constants
47
import gnutls.library.types
48
import ConfigParser as configparser
47
try:
48
import ConfigParser as configparser
49
except ImportError:
50
import configparser
49
51
import sys
50
52
import re
51
53
import os
60
62
import struct
61
63
import fcntl
62
64
import functools
63
import cPickle as pickle
65
try:
66
import cPickle as pickle
67
except ImportError:
68
import pickle
64
69
import multiprocessing
65
70
import types
66
import hashlib
71
import binascii
72
import tempfile
73
import itertools
74
import collections
75
import codecs
67
76
68
77
import dbus
69
78
import dbus.service
70
import gobject
79
try:
80
from gi.repository import GObject
81
except ImportError:
82
import gobject as GObject
71
83
import avahi
72
84
from dbus.mainloop.glib import DBusGMainLoop
73
85
import ctypes
74
86
import ctypes.util
75
87
import xml.dom.minidom
76
88
import inspect
77
import Crypto.Cipher.AES
78
89
79
90
try:
80
91
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
84
95
except ImportError:
85
96
SO_BINDTODEVICE = None
86
97
98
if sys.version_info.major == 2:
99
str = unicode
87
100
88
version = "1.4.1"
101
version = "1.7.4"
102
stored_state_file = "clients.pickle"
89
103
90
104
logger = logging.getLogger()
91
stored_state_path = "/var/lib/mandos/clients.pickle"
92
93
syslogger = (logging.handlers.SysLogHandler
94
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
95
address = str("/dev/log")))
96
syslogger.setFormatter(logging.Formatter
97
('Mandos [%(process)d]: %(levelname)s:'
98
' %(message)s'))
99
logger.addHandler(syslogger)
100
101
console = logging.StreamHandler()
102
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
103
' [%(process)d]:'
104
' %(levelname)s:'
105
' %(message)s'))
106
logger.addHandler(console)
105
syslogger = None
106
107
try:
108
if_nametoindex = ctypes.cdll.LoadLibrary(
109
ctypes.util.find_library("c")).if_nametoindex
110
except (OSError, AttributeError):
111
112
def if_nametoindex(interface):
113
"Get an interface index the hard way, i.e. using fcntl()"
114
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
115
with contextlib.closing(socket.socket()) as s:
116
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
117
struct.pack(b"16s16x", interface))
118
interface_index = struct.unpack("I", ifreq[16:20])[0]
119
return interface_index
120
121
122
def initlogger(debug, level=logging.WARNING):
123
"""init logger and add loglevel"""
124
125
global syslogger
126
syslogger = (logging.handlers.SysLogHandler(
127
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
128
address = "/dev/log"))
129
syslogger.setFormatter(logging.Formatter
130
('Mandos [%(process)d]: %(levelname)s:'
131
' %(message)s'))
132
logger.addHandler(syslogger)
133
134
if debug:
135
console = logging.StreamHandler()
136
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
137
' [%(process)d]:'
138
' %(levelname)s:'
139
' %(message)s'))
140
logger.addHandler(console)
141
logger.setLevel(level)
142
143
144
class PGPError(Exception):
145
"""Exception if encryption/decryption fails"""
146
pass
147
148
149
class PGPEngine(object):
150
"""A simple class for OpenPGP symmetric encryption & decryption"""
151
152
def __init__(self):
153
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
154
self.gpg = "gpg"
155
try:
156
output = subprocess.check_output(["gpgconf"])
157
for line in output.splitlines():
158
name, text, path = line.split(":")
159
if name == "gpg":
160
self.gpg = path
161
break
162
except OSError as e:
163
if e.errno != errno.ENOENT:
164
raise
165
self.gnupgargs = ['--batch',
166
'--homedir', self.tempdir,
167
'--force-mdc',
168
'--quiet',
169
'--no-use-agent']
170
171
def __enter__(self):
172
return self
173
174
def __exit__(self, exc_type, exc_value, traceback):
175
self._cleanup()
176
return False
177
178
def __del__(self):
179
self._cleanup()
180
181
def _cleanup(self):
182
if self.tempdir is not None:
183
# Delete contents of tempdir
184
for root, dirs, files in os.walk(self.tempdir,
185
topdown = False):
186
for filename in files:
187
os.remove(os.path.join(root, filename))
188
for dirname in dirs:
189
os.rmdir(os.path.join(root, dirname))
190
# Remove tempdir
191
os.rmdir(self.tempdir)
192
self.tempdir = None
193
194
def password_encode(self, password):
195
# Passphrase can not be empty and can not contain newlines or
196
# NUL bytes. So we prefix it and hex encode it.
197
encoded = b"mandos" + binascii.hexlify(password)
198
if len(encoded) > 2048:
199
# GnuPG can't handle long passwords, so encode differently
200
encoded = (b"mandos" + password.replace(b"\\", b"\\\\")
201
.replace(b"\n", b"\\n")
202
.replace(b"\0", b"\\x00"))
203
return encoded
204
205
def encrypt(self, data, password):
206
passphrase = self.password_encode(password)
207
with tempfile.NamedTemporaryFile(
208
dir=self.tempdir) as passfile:
209
passfile.write(passphrase)
210
passfile.flush()
211
proc = subprocess.Popen([self.gpg, '--symmetric',
212
'--passphrase-file',
213
passfile.name]
214
+ self.gnupgargs,
215
stdin = subprocess.PIPE,
216
stdout = subprocess.PIPE,
217
stderr = subprocess.PIPE)
218
ciphertext, err = proc.communicate(input = data)
219
if proc.returncode != 0:
220
raise PGPError(err)
221
return ciphertext
222
223
def decrypt(self, data, password):
224
passphrase = self.password_encode(password)
225
with tempfile.NamedTemporaryFile(
226
dir = self.tempdir) as passfile:
227
passfile.write(passphrase)
228
passfile.flush()
229
proc = subprocess.Popen([self.gpg, '--decrypt',
230
'--passphrase-file',
231
passfile.name]
232
+ self.gnupgargs,
233
stdin = subprocess.PIPE,
234
stdout = subprocess.PIPE,
235
stderr = subprocess.PIPE)
236
decrypted_plaintext, err = proc.communicate(input = data)
237
if proc.returncode != 0:
238
raise PGPError(err)
239
return decrypted_plaintext
107
240
108
241
109
242
class AvahiError(Exception):
110
243
def __init__(self, value, *args, **kwargs):
111
244
self.value = value
112
super(AvahiError, self).__init__(value, *args, **kwargs)
113
def __unicode__(self):
114
return unicode(repr(self.value))
245
return super(AvahiError, self).__init__(value, *args,
246
**kwargs)
247
115
248
116
249
class AvahiServiceError(AvahiError):
117
250
pass
118
251
252
119
253
class AvahiGroupError(AvahiError):
120
254
pass
121
255
128
262
Used to optionally bind to the specified interface.
129
263
name: string; Example: 'Mandos'
130
264
type: string; Example: '_mandos._tcp'.
131
See <http://www.dns-sd.org/ServiceTypes.html>
265
See <https://www.iana.org/assignments/service-names-port-numbers>
132
266
port: integer; what port to announce
133
267
TXT: list of strings; TXT record for the service
134
268
domain: string; Domain to publish on, default to .local if empty.
140
274
server: D-Bus Server
141
275
bus: dbus.SystemBus()
142
276
"""
143
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
144
servicetype = None, port = None, TXT = None,
145
domain = "", host = "", max_renames = 32768,
146
protocol = avahi.PROTO_UNSPEC, bus = None):
277
278
def __init__(self,
279
interface = avahi.IF_UNSPEC,
280
name = None,
281
servicetype = None,
282
port = None,
283
TXT = None,
284
domain = "",
285
host = "",
286
max_renames = 32768,
287
protocol = avahi.PROTO_UNSPEC,
288
bus = None):
147
289
self.interface = interface
148
290
self.name = name
149
291
self.type = servicetype
158
300
self.server = None
159
301
self.bus = bus
160
302
self.entry_group_state_changed_match = None
161
def rename(self):
303
304
def rename(self, remove=True):
162
305
"""Derived from the Avahi example code"""
163
306
if self.rename_count >= self.max_renames:
164
307
logger.critical("No suitable Zeroconf service name found"
165
308
" after %i retries, exiting.",
166
309
self.rename_count)
167
310
raise AvahiServiceError("Too many renames")
168
self.name = unicode(self.server
169
.GetAlternativeServiceName(self.name))
311
self.name = str(
312
self.server.GetAlternativeServiceName(self.name))
313
self.rename_count += 1
170
314
logger.info("Changing Zeroconf service name to %r ...",
171
315
self.name)
172
self.remove()
316
if remove:
317
self.remove()
173
318
try:
174
319
self.add()
175
320
except dbus.exceptions.DBusException as error:
176
logger.critical("DBusException: %s", error)
177
self.cleanup()
178
os._exit(1)
179
self.rename_count += 1
321
if (error.get_dbus_name()
322
== "org.freedesktop.Avahi.CollisionError"):
323
logger.info("Local Zeroconf service name collision.")
324
return self.rename(remove=False)
325
else:
326
logger.critical("D-Bus Exception", exc_info=error)
327
self.cleanup()
328
os._exit(1)
329
180
330
def remove(self):
181
331
"""Derived from the Avahi example code"""
182
332
if self.entry_group_state_changed_match is not None:
184
334
self.entry_group_state_changed_match = None
185
335
if self.group is not None:
186
336
self.group.Reset()
337
187
338
def add(self):
188
339
"""Derived from the Avahi example code"""
189
340
self.remove()
206
357
dbus.UInt16(self.port),
207
358
avahi.string_array_to_txt_array(self.TXT))
208
359
self.group.Commit()
360
209
361
def entry_group_state_changed(self, state, error):
210
362
"""Derived from the Avahi example code"""
211
363
logger.debug("Avahi entry group state change: %i", state)
217
369
self.rename()
218
370
elif state == avahi.ENTRY_GROUP_FAILURE:
219
371
logger.critical("Avahi: Error in group state changed %s",
220
unicode(error))
221
raise AvahiGroupError("State changed: %s"
222
% unicode(error))
372
str(error))
373
raise AvahiGroupError("State changed: {!s}".format(error))
374
223
375
def cleanup(self):
224
376
"""Derived from the Avahi example code"""
225
377
if self.group is not None:
226
378
try:
227
379
self.group.Free()
228
380
except (dbus.exceptions.UnknownMethodException,
229
dbus.exceptions.DBusException) as e:
381
dbus.exceptions.DBusException):
230
382
pass
231
383
self.group = None
232
384
self.remove()
385
233
386
def server_state_changed(self, state, error=None):
234
387
"""Derived from the Avahi example code"""
235
388
logger.debug("Avahi server state change: %i", state)
236
bad_states = { avahi.SERVER_INVALID:
237
"Zeroconf server invalid",
238
avahi.SERVER_REGISTERING: None,
239
avahi.SERVER_COLLISION:
240
"Zeroconf server name collision",
241
avahi.SERVER_FAILURE:
242
"Zeroconf server failure" }
389
bad_states = {
390
avahi.SERVER_INVALID: "Zeroconf server invalid",
391
avahi.SERVER_REGISTERING: None,
392
avahi.SERVER_COLLISION: "Zeroconf server name collision",
393
avahi.SERVER_FAILURE: "Zeroconf server failure",
394
}
243
395
if state in bad_states:
244
396
if bad_states[state] is not None:
245
397
if error is None:
248
400
logger.error(bad_states[state] + ": %r", error)
249
401
self.cleanup()
250
402
elif state == avahi.SERVER_RUNNING:
251
self.add()
403
try:
404
self.add()
405
except dbus.exceptions.DBusException as error:
406
if (error.get_dbus_name()
407
== "org.freedesktop.Avahi.CollisionError"):
408
logger.info("Local Zeroconf service name"
409
" collision.")
410
return self.rename(remove=False)
411
else:
412
logger.critical("D-Bus Exception", exc_info=error)
413
self.cleanup()
414
os._exit(1)
252
415
else:
253
416
if error is None:
254
417
logger.debug("Unknown state: %r", state)
255
418
else:
256
419
logger.debug("Unknown state: %r: %r", state, error)
420
257
421
def activate(self):
258
422
"""Derived from the Avahi example code"""
259
423
if self.server is None:
263
427
follow_name_owner_changes=True),
264
428
avahi.DBUS_INTERFACE_SERVER)
265
429
self.server.connect_to_signal("StateChanged",
266
self.server_state_changed)
430
self.server_state_changed)
267
431
self.server_state_changed(self.server.GetState())
268
432
433
269
434
class AvahiServiceToSyslog(AvahiService):
270
def rename(self):
435
def rename(self, *args, **kwargs):
271
436
"""Add the new name to the syslog messages"""
272
ret = AvahiService.rename(self)
273
syslogger.setFormatter(logging.Formatter
274
('Mandos (%s) [%%(process)d]:'
275
' %%(levelname)s: %%(message)s'
276
% self.name))
437
ret = AvahiService.rename(self, *args, **kwargs)
438
syslogger.setFormatter(logging.Formatter(
439
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
440
.format(self.name)))
277
441
return ret
278
442
279
def _timedelta_to_milliseconds(td):
280
"Convert a datetime.timedelta() to milliseconds"
281
return ((td.days * 24 * 60 * 60 * 1000)
282
+ (td.seconds * 1000)
283
+ (td.microseconds // 1000))
284
443
# Pretend that we have a GnuTLS module
444
class GnuTLS(object):
445
"""This isn't so much a class as it is a module-like namespace.
446
It is instantiated once, and simulates having a GnuTLS module."""
447
448
_library = ctypes.cdll.LoadLibrary(
449
ctypes.util.find_library("gnutls"))
450
_need_version = "3.3.0"
451
def __init__(self):
452
# Need to use class name "GnuTLS" here, since this method is
453
# called before the assignment to the "gnutls" global variable
454
# happens.
455
if GnuTLS.check_version(self._need_version) is None:
456
raise GnuTLS.Error("Needs GnuTLS {} or later"
457
.format(self._need_version))
458
459
# Unless otherwise indicated, the constants and types below are
460
# all from the gnutls/gnutls.h C header file.
461
462
# Constants
463
E_SUCCESS = 0
464
E_INTERRUPTED = -52
465
E_AGAIN = -28
466
CRT_OPENPGP = 2
467
CLIENT = 2
468
SHUT_RDWR = 0
469
CRD_CERTIFICATE = 1
470
E_NO_CERTIFICATE_FOUND = -49
471
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
472
473
# Types
474
class session_int(ctypes.Structure):
475
_fields_ = []
476
session_t = ctypes.POINTER(session_int)
477
class certificate_credentials_st(ctypes.Structure):
478
_fields_ = []
479
certificate_credentials_t = ctypes.POINTER(
480
certificate_credentials_st)
481
certificate_type_t = ctypes.c_int
482
class datum_t(ctypes.Structure):
483
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
484
('size', ctypes.c_uint)]
485
class openpgp_crt_int(ctypes.Structure):
486
_fields_ = []
487
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
488
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
489
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
490
credentials_type_t = ctypes.c_int
491
transport_ptr_t = ctypes.c_void_p
492
close_request_t = ctypes.c_int
493
494
# Exceptions
495
class Error(Exception):
496
# We need to use the class name "GnuTLS" here, since this
497
# exception might be raised from within GnuTLS.__init__,
498
# which is called before the assignment to the "gnutls"
499
# global variable has happened.
500
def __init__(self, message = None, code = None, args=()):
501
# Default usage is by a message string, but if a return
502
# code is passed, convert it to a string with
503
# gnutls.strerror()
504
self.code = code
505
if message is None and code is not None:
506
message = GnuTLS.strerror(code)
507
return super(GnuTLS.Error, self).__init__(
508
message, *args)
509
510
class CertificateSecurityError(Error):
511
pass
512
513
# Classes
514
class Credentials(object):
515
def __init__(self):
516
self._c_object = gnutls.certificate_credentials_t()
517
gnutls.certificate_allocate_credentials(
518
ctypes.byref(self._c_object))
519
self.type = gnutls.CRD_CERTIFICATE
520
521
def __del__(self):
522
gnutls.certificate_free_credentials(self._c_object)
523
524
class ClientSession(object):
525
def __init__(self, socket, credentials = None):
526
self._c_object = gnutls.session_t()
527
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
528
gnutls.set_default_priority(self._c_object)
529
gnutls.transport_set_ptr(self._c_object, socket.fileno())
530
gnutls.handshake_set_private_extensions(self._c_object,
531
True)
532
self.socket = socket
533
if credentials is None:
534
credentials = gnutls.Credentials()
535
gnutls.credentials_set(self._c_object, credentials.type,
536
ctypes.cast(credentials._c_object,
537
ctypes.c_void_p))
538
self.credentials = credentials
539
540
def __del__(self):
541
gnutls.deinit(self._c_object)
542
543
def handshake(self):
544
return gnutls.handshake(self._c_object)
545
546
def send(self, data):
547
data = bytes(data)
548
data_len = len(data)
549
while data_len > 0:
550
data_len -= gnutls.record_send(self._c_object,
551
data[-data_len:],
552
data_len)
553
554
def bye(self):
555
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
556
557
# Error handling functions
558
def _error_code(result):
559
"""A function to raise exceptions on errors, suitable
560
for the 'restype' attribute on ctypes functions"""
561
if result >= 0:
562
return result
563
if result == gnutls.E_NO_CERTIFICATE_FOUND:
564
raise gnutls.CertificateSecurityError(code = result)
565
raise gnutls.Error(code = result)
566
567
def _retry_on_error(result, func, arguments):
568
"""A function to retry on some errors, suitable
569
for the 'errcheck' attribute on ctypes functions"""
570
while result < 0:
571
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
572
return _error_code(result)
573
result = func(*arguments)
574
return result
575
576
# Unless otherwise indicated, the function declarations below are
577
# all from the gnutls/gnutls.h C header file.
578
579
# Functions
580
priority_set_direct = _library.gnutls_priority_set_direct
581
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
582
ctypes.POINTER(ctypes.c_char_p)]
583
priority_set_direct.restype = _error_code
584
585
init = _library.gnutls_init
586
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
587
init.restype = _error_code
588
589
set_default_priority = _library.gnutls_set_default_priority
590
set_default_priority.argtypes = [session_t]
591
set_default_priority.restype = _error_code
592
593
record_send = _library.gnutls_record_send
594
record_send.argtypes = [session_t, ctypes.c_void_p,
595
ctypes.c_size_t]
596
record_send.restype = ctypes.c_ssize_t
597
record_send.errcheck = _retry_on_error
598
599
certificate_allocate_credentials = (
600
_library.gnutls_certificate_allocate_credentials)
601
certificate_allocate_credentials.argtypes = [
602
ctypes.POINTER(certificate_credentials_t)]
603
certificate_allocate_credentials.restype = _error_code
604
605
certificate_free_credentials = (
606
_library.gnutls_certificate_free_credentials)
607
certificate_free_credentials.argtypes = [certificate_credentials_t]
608
certificate_free_credentials.restype = None
609
610
handshake_set_private_extensions = (
611
_library.gnutls_handshake_set_private_extensions)
612
handshake_set_private_extensions.argtypes = [session_t,
613
ctypes.c_int]
614
handshake_set_private_extensions.restype = None
615
616
credentials_set = _library.gnutls_credentials_set
617
credentials_set.argtypes = [session_t, credentials_type_t,
618
ctypes.c_void_p]
619
credentials_set.restype = _error_code
620
621
strerror = _library.gnutls_strerror
622
strerror.argtypes = [ctypes.c_int]
623
strerror.restype = ctypes.c_char_p
624
625
certificate_type_get = _library.gnutls_certificate_type_get
626
certificate_type_get.argtypes = [session_t]
627
certificate_type_get.restype = _error_code
628
629
certificate_get_peers = _library.gnutls_certificate_get_peers
630
certificate_get_peers.argtypes = [session_t,
631
ctypes.POINTER(ctypes.c_uint)]
632
certificate_get_peers.restype = ctypes.POINTER(datum_t)
633
634
global_set_log_level = _library.gnutls_global_set_log_level
635
global_set_log_level.argtypes = [ctypes.c_int]
636
global_set_log_level.restype = None
637
638
global_set_log_function = _library.gnutls_global_set_log_function
639
global_set_log_function.argtypes = [log_func]
640
global_set_log_function.restype = None
641
642
deinit = _library.gnutls_deinit
643
deinit.argtypes = [session_t]
644
deinit.restype = None
645
646
handshake = _library.gnutls_handshake
647
handshake.argtypes = [session_t]
648
handshake.restype = _error_code
649
handshake.errcheck = _retry_on_error
650
651
transport_set_ptr = _library.gnutls_transport_set_ptr
652
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
653
transport_set_ptr.restype = None
654
655
bye = _library.gnutls_bye
656
bye.argtypes = [session_t, close_request_t]
657
bye.restype = _error_code
658
bye.errcheck = _retry_on_error
659
660
check_version = _library.gnutls_check_version
661
check_version.argtypes = [ctypes.c_char_p]
662
check_version.restype = ctypes.c_char_p
663
664
# All the function declarations below are from gnutls/openpgp.h
665
666
openpgp_crt_init = _library.gnutls_openpgp_crt_init
667
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
668
openpgp_crt_init.restype = _error_code
669
670
openpgp_crt_import = _library.gnutls_openpgp_crt_import
671
openpgp_crt_import.argtypes = [openpgp_crt_t,
672
ctypes.POINTER(datum_t),
673
openpgp_crt_fmt_t]
674
openpgp_crt_import.restype = _error_code
675
676
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
677
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
678
ctypes.POINTER(ctypes.c_uint)]
679
openpgp_crt_verify_self.restype = _error_code
680
681
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
682
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
683
openpgp_crt_deinit.restype = None
684
685
openpgp_crt_get_fingerprint = (
686
_library.gnutls_openpgp_crt_get_fingerprint)
687
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
688
ctypes.c_void_p,
689
ctypes.POINTER(
690
ctypes.c_size_t)]
691
openpgp_crt_get_fingerprint.restype = _error_code
692
693
# Remove non-public functions
694
del _error_code, _retry_on_error
695
# Create the global "gnutls" object, simulating a module
696
gnutls = GnuTLS()
697
698
def call_pipe(connection, # : multiprocessing.Connection
699
func, *args, **kwargs):
700
"""This function is meant to be called by multiprocessing.Process
701
702
This function runs func(*args, **kwargs), and writes the resulting
703
return value on the provided multiprocessing.Connection.
704
"""
705
connection.send(func(*args, **kwargs))
706
connection.close()
707
285
708
class Client(object):
286
709
"""A representation of a client host served by this server.
287
710
288
711
Attributes:
289
_approved: bool(); 'None' if not yet approved/disapproved
712
approved: bool(); 'None' if not yet approved/disapproved
290
713
approval_delay: datetime.timedelta(); Time to wait for approval
291
714
approval_duration: datetime.timedelta(); Duration of one approval
292
715
checker: subprocess.Popen(); a running checker process used
293
716
to see if the client lives.
294
717
'None' if no process is running.
295
checker_callback_tag: a gobject event source tag, or None
718
checker_callback_tag: a GObject event source tag, or None
296
719
checker_command: string; External command which is run to check
297
720
if client lives. %() expansions are done at
298
721
runtime with vars(self) as dict, so that for
299
722
instance %(name)s can be used in the command.
300
checker_initiator_tag: a gobject event source tag, or None
723
checker_initiator_tag: a GObject event source tag, or None
301
724
created: datetime.datetime(); (UTC) object creation
302
725
client_structure: Object describing what attributes a client has
303
726
and is used for storing the client at exit
304
727
current_checker_command: string; current running checker_command
305
disable_initiator_tag: a gobject event source tag, or None
728
disable_initiator_tag: a GObject event source tag, or None
306
729
enabled: bool()
307
730
fingerprint: string (40 or 32 hexadecimal digits); used to
308
731
uniquely identify the client
311
734
last_approval_request: datetime.datetime(); (UTC) or None
312
735
last_checked_ok: datetime.datetime(); (UTC) or None
313
736
last_checker_status: integer between 0 and 255 reflecting exit
314
status of last checker. -1 reflect crashed
315
checker, or None.
316
last_enabled: datetime.datetime(); (UTC)
737
status of last checker. -1 reflects crashed
738
checker, -2 means no checker completed yet.
739
last_checker_signal: The signal which killed the last checker, if
740
last_checker_status is -1
741
last_enabled: datetime.datetime(); (UTC) or None
317
742
name: string; from the config file, used in log messages and
318
743
D-Bus identifiers
319
744
secret: bytestring; sent verbatim (over TLS) to client
320
745
timeout: datetime.timedelta(); How long from last_checked_ok
321
746
until this client is disabled
322
extended_timeout: extra long timeout when password has been sent
747
extended_timeout: extra long timeout when secret has been sent
323
748
runtime_expansions: Allowed attributes for runtime expansion.
324
749
expires: datetime.datetime(); time (UTC) when a client will be
325
750
disabled, or None
751
server_settings: The server_settings dict from main()
326
752
"""
327
753
328
754
runtime_expansions = ("approval_delay", "approval_duration",
329
"created", "enabled", "fingerprint",
330
"host", "interval", "last_checked_ok",
755
"created", "enabled", "expires",
756
"fingerprint", "host", "interval",
757
"last_approval_request", "last_checked_ok",
331
758
"last_enabled", "name", "timeout")
332
333
def timeout_milliseconds(self):
334
"Return the 'timeout' attribute in milliseconds"
335
return _timedelta_to_milliseconds(self.timeout)
336
337
def extended_timeout_milliseconds(self):
338
"Return the 'extended_timeout' attribute in milliseconds"
339
return _timedelta_to_milliseconds(self.extended_timeout)
340
341
def interval_milliseconds(self):
342
"Return the 'interval' attribute in milliseconds"
343
return _timedelta_to_milliseconds(self.interval)
344
345
def approval_delay_milliseconds(self):
346
return _timedelta_to_milliseconds(self.approval_delay)
347
348
def __init__(self, name = None, config=None):
349
"""Note: the 'checker' key in 'config' sets the
350
'checker_command' attribute and *not* the 'checker'
351
attribute."""
759
client_defaults = {
760
"timeout": "PT5M",
761
"extended_timeout": "PT15M",
762
"interval": "PT2M",
763
"checker": "fping -q -- %%(host)s",
764
"host": "",
765
"approval_delay": "PT0S",
766
"approval_duration": "PT1S",
767
"approved_by_default": "True",
768
"enabled": "True",
769
}
770
771
@staticmethod
772
def config_parser(config):
773
"""Construct a new dict of client settings of this form:
774
{ client_name: {setting_name: value, ...}, ...}
775
with exceptions for any special settings as defined above.
776
NOTE: Must be a pure function. Must return the same result
777
value given the same arguments.
778
"""
779
settings = {}
780
for client_name in config.sections():
781
section = dict(config.items(client_name))
782
client = settings[client_name] = {}
783
784
client["host"] = section["host"]
785
# Reformat values from string types to Python types
786
client["approved_by_default"] = config.getboolean(
787
client_name, "approved_by_default")
788
client["enabled"] = config.getboolean(client_name,
789
"enabled")
790
791
# Uppercase and remove spaces from fingerprint for later
792
# comparison purposes with return value from the
793
# fingerprint() function
794
client["fingerprint"] = (section["fingerprint"].upper()
795
.replace(" ", ""))
796
if "secret" in section:
797
client["secret"] = section["secret"].decode("base64")
798
elif "secfile" in section:
799
with open(os.path.expanduser(os.path.expandvars
800
(section["secfile"])),
801
"rb") as secfile:
802
client["secret"] = secfile.read()
803
else:
804
raise TypeError("No secret or secfile for section {}"
805
.format(section))
806
client["timeout"] = string_to_delta(section["timeout"])
807
client["extended_timeout"] = string_to_delta(
808
section["extended_timeout"])
809
client["interval"] = string_to_delta(section["interval"])
810
client["approval_delay"] = string_to_delta(
811
section["approval_delay"])
812
client["approval_duration"] = string_to_delta(
813
section["approval_duration"])
814
client["checker_command"] = section["checker"]
815
client["last_approval_request"] = None
816
client["last_checked_ok"] = None
817
client["last_checker_status"] = -2
818
819
return settings
820
821
def __init__(self, settings, name = None, server_settings=None):
352
822
self.name = name
353
if config is None:
354
config = {}
823
if server_settings is None:
824
server_settings = {}
825
self.server_settings = server_settings
826
# adding all client settings
827
for setting, value in settings.items():
828
setattr(self, setting, value)
829
830
if self.enabled:
831
if not hasattr(self, "last_enabled"):
832
self.last_enabled = datetime.datetime.utcnow()
833
if not hasattr(self, "expires"):
834
self.expires = (datetime.datetime.utcnow()
835
+ self.timeout)
836
else:
837
self.last_enabled = None
838
self.expires = None
839
355
840
logger.debug("Creating client %r", self.name)
356
# Uppercase and remove spaces from fingerprint for later
357
# comparison purposes with return value from the fingerprint()
358
# function
359
self.fingerprint = (config["fingerprint"].upper()
360
.replace(" ", ""))
361
841
logger.debug(" Fingerprint: %s", self.fingerprint)
362
if "secret" in config:
363
self.secret = config["secret"].decode("base64")
364
elif "secfile" in config:
365
with open(os.path.expanduser(os.path.expandvars
366
(config["secfile"])),
367
"rb") as secfile:
368
self.secret = secfile.read()
369
else:
370
raise TypeError("No secret or secfile for client %s"
371
% self.name)
372
self.host = config.get("host", "")
373
self.created = datetime.datetime.utcnow()
374
self.enabled = True
375
self.last_approval_request = None
376
self.last_enabled = datetime.datetime.utcnow()
377
self.last_checked_ok = None
378
self.last_checker_status = None
379
self.timeout = string_to_delta(config["timeout"])
380
self.extended_timeout = string_to_delta(config
381
["extended_timeout"])
382
self.interval = string_to_delta(config["interval"])
842
self.created = settings.get("created",
843
datetime.datetime.utcnow())
844
845
# attributes specific for this server instance
383
846
self.checker = None
384
847
self.checker_initiator_tag = None
385
848
self.disable_initiator_tag = None
386
self.expires = datetime.datetime.utcnow() + self.timeout
387
849
self.checker_callback_tag = None
388
self.checker_command = config["checker"]
389
850
self.current_checker_command = None
390
self._approved = None
391
self.approved_by_default = config.get("approved_by_default",
392
True)
851
self.approved = None
393
852
self.approvals_pending = 0
394
self.approval_delay = string_to_delta(
395
config["approval_delay"])
396
self.approval_duration = string_to_delta(
397
config["approval_duration"])
398
self.changedstate = (multiprocessing_manager
399
.Condition(multiprocessing_manager
400
.Lock()))
401
self.client_structure = [attr for attr
402
in self.__dict__.iterkeys()
853
self.changedstate = multiprocessing_manager.Condition(
854
multiprocessing_manager.Lock())
855
self.client_structure = [attr
856
for attr in self.__dict__.iterkeys()
403
857
if not attr.startswith("_")]
404
858
self.client_structure.append("client_structure")
405
406
407
for name, t in inspect.getmembers(type(self),
408
lambda obj:
409
isinstance(obj,
410
property)):
859
860
for name, t in inspect.getmembers(
861
type(self), lambda obj: isinstance(obj, property)):
411
862
if not name.startswith("_"):
412
863
self.client_structure.append(name)
413
864
421
872
if getattr(self, "enabled", False):
422
873
# Already enabled
423
874
return
424
self.send_changedstate()
425
875
self.expires = datetime.datetime.utcnow() + self.timeout
426
876
self.enabled = True
427
877
self.last_enabled = datetime.datetime.utcnow()
428
878
self.init_checker()
879
self.send_changedstate()
429
880
430
881
def disable(self, quiet=True):
431
882
"""Disable this client."""
432
883
if not getattr(self, "enabled", False):
433
884
return False
434
885
if not quiet:
435
self.send_changedstate()
436
if not quiet:
437
886
logger.info("Disabling client %s", self.name)
438
if getattr(self, "disable_initiator_tag", False):
439
gobject.source_remove(self.disable_initiator_tag)
887
if getattr(self, "disable_initiator_tag", None) is not None:
888
GObject.source_remove(self.disable_initiator_tag)
440
889
self.disable_initiator_tag = None
441
890
self.expires = None
442
if getattr(self, "checker_initiator_tag", False):
443
gobject.source_remove(self.checker_initiator_tag)
891
if getattr(self, "checker_initiator_tag", None) is not None:
892
GObject.source_remove(self.checker_initiator_tag)
444
893
self.checker_initiator_tag = None
445
894
self.stop_checker()
446
895
self.enabled = False
447
# Do not run this again if called by a gobject.timeout_add
896
if not quiet:
897
self.send_changedstate()
898
# Do not run this again if called by a GObject.timeout_add
448
899
return False
449
900
450
901
def __del__(self):
451
902
self.disable()
452
903
453
904
def init_checker(self):
454
905
# Schedule a new checker to be started an 'interval' from now,
455
906
# and every interval from then on.
456
self.checker_initiator_tag = (gobject.timeout_add
457
(self.interval_milliseconds(),
458
self.start_checker))
907
if self.checker_initiator_tag is not None:
908
GObject.source_remove(self.checker_initiator_tag)
909
self.checker_initiator_tag = GObject.timeout_add(
910
int(self.interval.total_seconds() * 1000),
911
self.start_checker)
459
912
# Schedule a disable() when 'timeout' has passed
460
self.disable_initiator_tag = (gobject.timeout_add
461
(self.timeout_milliseconds(),
462
self.disable))
913
if self.disable_initiator_tag is not None:
914
GObject.source_remove(self.disable_initiator_tag)
915
self.disable_initiator_tag = GObject.timeout_add(
916
int(self.timeout.total_seconds() * 1000), self.disable)
463
917
# Also start a new checker *right now*.
464
918
self.start_checker()
465
466
467
def checker_callback(self, pid, condition, command):
919
920
def checker_callback(self, source, condition, connection,
921
command):
468
922
"""The checker has completed, so take appropriate actions."""
469
923
self.checker_callback_tag = None
470
924
self.checker = None
471
if os.WIFEXITED(condition):
472
self.last_checker_status = os.WEXITSTATUS(condition)
925
# Read return code from connection (see call_pipe)
926
returncode = connection.recv()
927
connection.close()
928
929
if returncode >= 0:
930
self.last_checker_status = returncode
931
self.last_checker_signal = None
473
932
if self.last_checker_status == 0:
474
933
logger.info("Checker for %(name)s succeeded",
475
934
vars(self))
476
935
self.checked_ok()
477
936
else:
478
logger.info("Checker for %(name)s failed",
479
vars(self))
937
logger.info("Checker for %(name)s failed", vars(self))
480
938
else:
481
939
self.last_checker_status = -1
940
self.last_checker_signal = -returncode
482
941
logger.warning("Checker for %(name)s crashed?",
483
942
vars(self))
484
485
def checked_ok(self, timeout=None):
486
"""Bump up the timeout for this client.
487
488
This should only be called when the client has been seen,
489
alive and well.
490
"""
943
return False
944
945
def checked_ok(self):
946
"""Assert that the client has been seen, alive and well."""
947
self.last_checked_ok = datetime.datetime.utcnow()
948
self.last_checker_status = 0
949
self.last_checker_signal = None
950
self.bump_timeout()
951
952
def bump_timeout(self, timeout=None):
953
"""Bump up the timeout for this client."""
491
954
if timeout is None:
492
955
timeout = self.timeout
493
self.last_checked_ok = datetime.datetime.utcnow()
494
956
if self.disable_initiator_tag is not None:
495
gobject.source_remove(self.disable_initiator_tag)
957
GObject.source_remove(self.disable_initiator_tag)
958
self.disable_initiator_tag = None
496
959
if getattr(self, "enabled", False):
497
self.disable_initiator_tag = (gobject.timeout_add
498
(_timedelta_to_milliseconds
499
(timeout), self.disable))
960
self.disable_initiator_tag = GObject.timeout_add(
961
int(timeout.total_seconds() * 1000), self.disable)
500
962
self.expires = datetime.datetime.utcnow() + timeout
501
963
502
964
def need_approval(self):
508
970
If a checker already exists, leave it running and do
509
971
nothing."""
510
972
# The reason for not killing a running checker is that if we
511
# did that, then if a checker (for some reason) started
512
# running slowly and taking more than 'interval' time, the
513
# client would inevitably timeout, since no checker would get
514
# a chance to run to completion. If we instead leave running
973
# did that, and if a checker (for some reason) started running
974
# slowly and taking more than 'interval' time, then the client
975
# would inevitably timeout, since no checker would get a
976
# chance to run to completion. If we instead leave running
515
977
# checkers alone, the checker would have to take more time
516
978
# than 'timeout' for the client to be disabled, which is as it
517
979
# should be.
518
980
519
# If a checker exists, make sure it is not a zombie
520
try:
521
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
522
except (AttributeError, OSError) as error:
523
if (isinstance(error, OSError)
524
and error.errno != errno.ECHILD):
525
raise error
526
else:
527
if pid:
528
logger.warning("Checker was a zombie")
529
gobject.source_remove(self.checker_callback_tag)
530
self.checker_callback(pid, status,
531
self.current_checker_command)
981
if self.checker is not None and not self.checker.is_alive():
982
logger.warning("Checker was not alive; joining")
983
self.checker.join()
984
self.checker = None
532
985
# Start a new checker if needed
533
986
if self.checker is None:
987
# Escape attributes for the shell
988
escaped_attrs = {
989
attr: re.escape(str(getattr(self, attr)))
990
for attr in self.runtime_expansions }
534
991
try:
535
# In case checker_command has exactly one % operator
536
command = self.checker_command % self.host
537
except TypeError:
538
# Escape attributes for the shell
539
escaped_attrs = dict(
540
(attr,
541
re.escape(unicode(str(getattr(self, attr, "")),
542
errors=
543
'replace')))
544
for attr in
545
self.runtime_expansions)
546
547
try:
548
command = self.checker_command % escaped_attrs
549
except TypeError as error:
550
logger.error('Could not format string "%s":'
551
' %s', self.checker_command, error)
552
return True # Try again later
992
command = self.checker_command % escaped_attrs
993
except TypeError as error:
994
logger.error('Could not format string "%s"',
995
self.checker_command,
996
exc_info=error)
997
return True # Try again later
553
998
self.current_checker_command = command
554
try:
555
logger.info("Starting checker %r for %s",
556
command, self.name)
557
# We don't need to redirect stdout and stderr, since
558
# in normal mode, that is already done by daemon(),
559
# and in debug mode we don't want to. (Stdin is
560
# always replaced by /dev/null.)
561
self.checker = subprocess.Popen(command,
562
close_fds=True,
563
shell=True, cwd="/")
564
self.checker_callback_tag = (gobject.child_watch_add
565
(self.checker.pid,
566
self.checker_callback,
567
data=command))
568
# The checker may have completed before the gobject
569
# watch was added. Check for this.
570
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
571
if pid:
572
gobject.source_remove(self.checker_callback_tag)
573
self.checker_callback(pid, status, command)
574
except OSError as error:
575
logger.error("Failed to start subprocess: %s",
576
error)
577
# Re-run this periodically if run by gobject.timeout_add
999
logger.info("Starting checker %r for %s", command,
1000
self.name)
1001
# We don't need to redirect stdout and stderr, since
1002
# in normal mode, that is already done by daemon(),
1003
# and in debug mode we don't want to. (Stdin is
1004
# always replaced by /dev/null.)
1005
# The exception is when not debugging but nevertheless
1006
# running in the foreground; use the previously
1007
# created wnull.
1008
popen_args = { "close_fds": True,
1009
"shell": True,
1010
"cwd": "/" }
1011
if (not self.server_settings["debug"]
1012
and self.server_settings["foreground"]):
1013
popen_args.update({"stdout": wnull,
1014
"stderr": wnull })
1015
pipe = multiprocessing.Pipe(duplex = False)
1016
self.checker = multiprocessing.Process(
1017
target = call_pipe,
1018
args = (pipe[1], subprocess.call, command),
1019
kwargs = popen_args)
1020
self.checker.start()
1021
self.checker_callback_tag = GObject.io_add_watch(
1022
pipe[0].fileno(), GObject.IO_IN,
1023
self.checker_callback, pipe[0], command)
1024
# Re-run this periodically if run by GObject.timeout_add
578
1025
return True
579
1026
580
1027
def stop_checker(self):
581
1028
"""Force the checker process, if any, to stop."""
582
1029
if self.checker_callback_tag:
583
gobject.source_remove(self.checker_callback_tag)
1030
GObject.source_remove(self.checker_callback_tag)
584
1031
self.checker_callback_tag = None
585
1032
if getattr(self, "checker", None) is None:
586
1033
return
587
1034
logger.debug("Stopping checker for %(name)s", vars(self))
588
try:
589
os.kill(self.checker.pid, signal.SIGTERM)
590
#time.sleep(0.5)
591
#if self.checker.poll() is None:
592
# os.kill(self.checker.pid, signal.SIGKILL)
593
except OSError as error:
594
if error.errno != errno.ESRCH: # No such process
595
raise
1035
self.checker.terminate()
596
1036
self.checker = None
597
1037
598
# Encrypts a client secret and stores it in a varible
599
# encrypted_secret
600
def encrypt_secret(self, key):
601
# Encryption-key need to be of a specific size, so we hash
602
# supplied key
603
hasheng = hashlib.sha256()
604
hasheng.update(key)
605
encryptionkey = hasheng.digest()
606
607
# Create validation hash so we know at decryption if it was
608
# sucessful
609
hasheng = hashlib.sha256()
610
hasheng.update(self.secret)
611
validationhash = hasheng.digest()
612
613
# Encrypt secret
614
iv = os.urandom(Crypto.Cipher.AES.block_size)
615
ciphereng = Crypto.Cipher.AES.new(encryptionkey,
616
Crypto.Cipher.AES.MODE_CFB, iv)
617
ciphertext = ciphereng.encrypt(validationhash+self.secret)
618
self.encrypted_secret = (ciphertext, iv)
619
620
# Decrypt a encrypted client secret
621
def decrypt_secret(self, key):
622
# Decryption-key need to be of a specific size, so we hash
623
# supplied key
624
hasheng = hashlib.sha256()
625
hasheng.update(key)
626
encryptionkey = hasheng.digest()
627
628
# Decrypt encrypted secret
629
ciphertext, iv = self.encrypted_secret
630
ciphereng = Crypto.Cipher.AES.new(encryptionkey,
631
Crypto.Cipher.AES.MODE_CFB, iv)
632
plain = ciphereng.decrypt(ciphertext)
633
634
# Validate decrypted secret to know if it was succesful
635
hasheng = hashlib.sha256()
636
validationhash = plain[:hasheng.digest_size]
637
secret = plain[hasheng.digest_size:]
638
hasheng.update(secret)
639
640
# If validation fails, we use key as new secret. Otherwise, we
641
# use the decrypted secret
642
if hasheng.digest() == validationhash:
643
self.secret = secret
644
else:
645
self.secret = key
646
del self.encrypted_secret
647
648
649
def dbus_service_property(dbus_interface, signature="v",
650
access="readwrite", byte_arrays=False):
1038
1039
def dbus_service_property(dbus_interface,
1040
signature="v",
1041
access="readwrite",
1042
byte_arrays=False):
651
1043
"""Decorators for marking methods of a DBusObjectWithProperties to
652
1044
become properties on the D-Bus.
653
1045
662
1054
# "Set" method, so we fail early here:
663
1055
if byte_arrays and signature != "ay":
664
1056
raise ValueError("Byte arrays not supported for non-'ay'"
665
" signature %r" % signature)
1057
" signature {!r}".format(signature))
1058
666
1059
def decorator(func):
667
1060
func._dbus_is_property = True
668
1061
func._dbus_interface = dbus_interface
673
1066
func._dbus_name = func._dbus_name[:-14]
674
1067
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
675
1068
return func
1069
1070
return decorator
1071
1072
1073
def dbus_interface_annotations(dbus_interface):
1074
"""Decorator for marking functions returning interface annotations
1075
1076
Usage:
1077
1078
@dbus_interface_annotations("org.example.Interface")
1079
def _foo(self): # Function name does not matter
1080
return {"org.freedesktop.DBus.Deprecated": "true",
1081
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1082
"false"}
1083
"""
1084
1085
def decorator(func):
1086
func._dbus_is_interface = True
1087
func._dbus_interface = dbus_interface
1088
func._dbus_name = dbus_interface
1089
return func
1090
1091
return decorator
1092
1093
1094
def dbus_annotations(annotations):
1095
"""Decorator to annotate D-Bus methods, signals or properties
1096
Usage:
1097
1098
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1099
"org.freedesktop.DBus.Property."
1100
"EmitsChangedSignal": "false"})
1101
@dbus_service_property("org.example.Interface", signature="b",
1102
access="r")
1103
def Property_dbus_property(self):
1104
return dbus.Boolean(False)
1105
1106
See also the DBusObjectWithAnnotations class.
1107
"""
1108
1109
def decorator(func):
1110
func._dbus_annotations = annotations
1111
return func
1112
676
1113
return decorator
677
1114
678
1115
679
1116
class DBusPropertyException(dbus.exceptions.DBusException):
680
1117
"""A base class for D-Bus property-related exceptions
681
1118
"""
682
def __unicode__(self):
683
return unicode(str(self))
1119
pass
684
1120
685
1121
686
1122
class DBusPropertyAccessException(DBusPropertyException):
695
1131
pass
696
1132
697
1133
698
class DBusObjectWithProperties(dbus.service.Object):
1134
class DBusObjectWithAnnotations(dbus.service.Object):
1135
"""A D-Bus object with annotations.
1136
1137
Classes inheriting from this can use the dbus_annotations
1138
decorator to add annotations to methods or signals.
1139
"""
1140
1141
@staticmethod
1142
def _is_dbus_thing(thing):
1143
"""Returns a function testing if an attribute is a D-Bus thing
1144
1145
If called like _is_dbus_thing("method") it returns a function
1146
suitable for use as predicate to inspect.getmembers().
1147
"""
1148
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1149
False)
1150
1151
def _get_all_dbus_things(self, thing):
1152
"""Returns a generator of (name, attribute) pairs
1153
"""
1154
return ((getattr(athing.__get__(self), "_dbus_name", name),
1155
athing.__get__(self))
1156
for cls in self.__class__.__mro__
1157
for name, athing in
1158
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1159
1160
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1161
out_signature = "s",
1162
path_keyword = 'object_path',
1163
connection_keyword = 'connection')
1164
def Introspect(self, object_path, connection):
1165
"""Overloading of standard D-Bus method.
1166
1167
Inserts annotation tags on methods and signals.
1168
"""
1169
xmlstring = dbus.service.Object.Introspect(self, object_path,
1170
connection)
1171
try:
1172
document = xml.dom.minidom.parseString(xmlstring)
1173
1174
for if_tag in document.getElementsByTagName("interface"):
1175
# Add annotation tags
1176
for typ in ("method", "signal"):
1177
for tag in if_tag.getElementsByTagName(typ):
1178
annots = dict()
1179
for name, prop in (self.
1180
_get_all_dbus_things(typ)):
1181
if (name == tag.getAttribute("name")
1182
and prop._dbus_interface
1183
== if_tag.getAttribute("name")):
1184
annots.update(getattr(
1185
prop, "_dbus_annotations", {}))
1186
for name, value in annots.items():
1187
ann_tag = document.createElement(
1188
"annotation")
1189
ann_tag.setAttribute("name", name)
1190
ann_tag.setAttribute("value", value)
1191
tag.appendChild(ann_tag)
1192
# Add interface annotation tags
1193
for annotation, value in dict(
1194
itertools.chain.from_iterable(
1195
annotations().items()
1196
for name, annotations
1197
in self._get_all_dbus_things("interface")
1198
if name == if_tag.getAttribute("name")
1199
)).items():
1200
ann_tag = document.createElement("annotation")
1201
ann_tag.setAttribute("name", annotation)
1202
ann_tag.setAttribute("value", value)
1203
if_tag.appendChild(ann_tag)
1204
# Fix argument name for the Introspect method itself
1205
if (if_tag.getAttribute("name")
1206
== dbus.INTROSPECTABLE_IFACE):
1207
for cn in if_tag.getElementsByTagName("method"):
1208
if cn.getAttribute("name") == "Introspect":
1209
for arg in cn.getElementsByTagName("arg"):
1210
if (arg.getAttribute("direction")
1211
== "out"):
1212
arg.setAttribute("name",
1213
"xml_data")
1214
xmlstring = document.toxml("utf-8")
1215
document.unlink()
1216
except (AttributeError, xml.dom.DOMException,
1217
xml.parsers.expat.ExpatError) as error:
1218
logger.error("Failed to override Introspection method",
1219
exc_info=error)
1220
return xmlstring
1221
1222
1223
class DBusObjectWithProperties(DBusObjectWithAnnotations):
699
1224
"""A D-Bus object with properties.
700
1225
701
1226
Classes inheriting from this can use the dbus_service_property
703
1228
standard Get(), Set(), and GetAll() methods on the D-Bus.
704
1229
"""
705
1230
706
@staticmethod
707
def _is_dbus_property(obj):
708
return getattr(obj, "_dbus_is_property", False)
709
710
def _get_all_dbus_properties(self):
711
"""Returns a generator of (name, attribute) pairs
712
"""
713
return ((prop.__get__(self)._dbus_name, prop.__get__(self))
714
for cls in self.__class__.__mro__
715
for name, prop in
716
inspect.getmembers(cls, self._is_dbus_property))
717
718
1231
def _get_dbus_property(self, interface_name, property_name):
719
1232
"""Returns a bound method if one exists which is a D-Bus
720
1233
property with the specified name and interface.
721
1234
"""
722
for cls in self.__class__.__mro__:
723
for name, value in (inspect.getmembers
724
(cls, self._is_dbus_property)):
1235
for cls in self.__class__.__mro__:
1236
for name, value in inspect.getmembers(
1237
cls, self._is_dbus_thing("property")):
725
1238
if (value._dbus_name == property_name
726
1239
and value._dbus_interface == interface_name):
727
1240
return value.__get__(self)
728
1241
729
1242
# No such property
730
raise DBusPropertyNotFound(self.dbus_object_path + ":"
731
+ interface_name + "."
732
+ property_name)
733
734
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
1243
raise DBusPropertyNotFound("{}:{}.{}".format(
1244
self.dbus_object_path, interface_name, property_name))
1245
1246
@classmethod
1247
def _get_all_interface_names(cls):
1248
"""Get a sequence of all interfaces supported by an object"""
1249
return (name for name in set(getattr(getattr(x, attr),
1250
"_dbus_interface", None)
1251
for x in (inspect.getmro(cls))
1252
for attr in dir(x))
1253
if name is not None)
1254
1255
@dbus.service.method(dbus.PROPERTIES_IFACE,
1256
in_signature="ss",
735
1257
out_signature="v")
736
1258
def Get(self, interface_name, property_name):
737
1259
"""Standard D-Bus property Get() method, see D-Bus standard.
755
1277
# The byte_arrays option is not supported yet on
756
1278
# signatures other than "ay".
757
1279
if prop._dbus_signature != "ay":
758
raise ValueError
759
value = dbus.ByteArray(''.join(unichr(byte)
760
for byte in value))
1280
raise ValueError("Byte arrays not supported for non-"
1281
"'ay' signature {!r}"
1282
.format(prop._dbus_signature))
1283
value = dbus.ByteArray(b''.join(chr(byte)
1284
for byte in value))
761
1285
prop(value)
762
1286
763
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
1287
@dbus.service.method(dbus.PROPERTIES_IFACE,
1288
in_signature="s",
764
1289
out_signature="a{sv}")
765
1290
def GetAll(self, interface_name):
766
1291
"""Standard D-Bus property GetAll() method, see D-Bus
768
1293
769
1294
Note: Will not include properties with access="write".
770
1295
"""
771
all = {}
772
for name, prop in self._get_all_dbus_properties():
1296
properties = {}
1297
for name, prop in self._get_all_dbus_things("property"):
773
1298
if (interface_name
774
1299
and interface_name != prop._dbus_interface):
775
1300
# Interface non-empty but did not match
779
1304
continue
780
1305
value = prop()
781
1306
if not hasattr(value, "variant_level"):
782
all[name] = value
1307
properties[name] = value
783
1308
continue
784
all[name] = type(value)(value, variant_level=
785
value.variant_level+1)
786
return dbus.Dictionary(all, signature="sv")
1309
properties[name] = type(value)(
1310
value, variant_level = value.variant_level + 1)
1311
return dbus.Dictionary(properties, signature="sv")
1312
1313
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1314
def PropertiesChanged(self, interface_name, changed_properties,
1315
invalidated_properties):
1316
"""Standard D-Bus PropertiesChanged() signal, see D-Bus
1317
standard.
1318
"""
1319
pass
787
1320
788
1321
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
789
1322
out_signature="s",
790
1323
path_keyword='object_path',
791
1324
connection_keyword='connection')
792
1325
def Introspect(self, object_path, connection):
793
"""Standard D-Bus method, overloaded to insert property tags.
1326
"""Overloading of standard D-Bus method.
1327
1328
Inserts property tags and interface annotation tags.
794
1329
"""
795
xmlstring = dbus.service.Object.Introspect(self, object_path,
796
connection)
1330
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1331
object_path,
1332
connection)
797
1333
try:
798
1334
document = xml.dom.minidom.parseString(xmlstring)
1335
799
1336
def make_tag(document, name, prop):
800
1337
e = document.createElement("property")
801
1338
e.setAttribute("name", name)
802
1339
e.setAttribute("type", prop._dbus_signature)
803
1340
e.setAttribute("access", prop._dbus_access)
804
1341
return e
1342
805
1343
for if_tag in document.getElementsByTagName("interface"):
1344
# Add property tags
806
1345
for tag in (make_tag(document, name, prop)
807
1346
for name, prop
808
in self._get_all_dbus_properties()
1347
in self._get_all_dbus_things("property")
809
1348
if prop._dbus_interface
810
1349
== if_tag.getAttribute("name")):
811
1350
if_tag.appendChild(tag)
1351
# Add annotation tags for properties
1352
for tag in if_tag.getElementsByTagName("property"):
1353
annots = dict()
1354
for name, prop in self._get_all_dbus_things(
1355
"property"):
1356
if (name == tag.getAttribute("name")
1357
and prop._dbus_interface
1358
== if_tag.getAttribute("name")):
1359
annots.update(getattr(
1360
prop, "_dbus_annotations", {}))
1361
for name, value in annots.items():
1362
ann_tag = document.createElement(
1363
"annotation")
1364
ann_tag.setAttribute("name", name)
1365
ann_tag.setAttribute("value", value)
1366
tag.appendChild(ann_tag)
812
1367
# Add the names to the return values for the
813
1368
# "org.freedesktop.DBus.Properties" methods
814
1369
if (if_tag.getAttribute("name")
829
1384
except (AttributeError, xml.dom.DOMException,
830
1385
xml.parsers.expat.ExpatError) as error:
831
1386
logger.error("Failed to override Introspection method",
832
error)
833
return xmlstring
834
835
836
def datetime_to_dbus (dt, variant_level=0):
1387
exc_info=error)
1388
return xmlstring
1389
1390
try:
1391
dbus.OBJECT_MANAGER_IFACE
1392
except AttributeError:
1393
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1394
1395
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1396
"""A D-Bus object with an ObjectManager.
1397
1398
Classes inheriting from this exposes the standard
1399
GetManagedObjects call and the InterfacesAdded and
1400
InterfacesRemoved signals on the standard
1401
"org.freedesktop.DBus.ObjectManager" interface.
1402
1403
Note: No signals are sent automatically; they must be sent
1404
manually.
1405
"""
1406
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1407
out_signature = "a{oa{sa{sv}}}")
1408
def GetManagedObjects(self):
1409
"""This function must be overridden"""
1410
raise NotImplementedError()
1411
1412
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1413
signature = "oa{sa{sv}}")
1414
def InterfacesAdded(self, object_path, interfaces_and_properties):
1415
pass
1416
1417
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1418
def InterfacesRemoved(self, object_path, interfaces):
1419
pass
1420
1421
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1422
out_signature = "s",
1423
path_keyword = 'object_path',
1424
connection_keyword = 'connection')
1425
def Introspect(self, object_path, connection):
1426
"""Overloading of standard D-Bus method.
1427
1428
Override return argument name of GetManagedObjects to be
1429
"objpath_interfaces_and_properties"
1430
"""
1431
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1432
object_path,
1433
connection)
1434
try:
1435
document = xml.dom.minidom.parseString(xmlstring)
1436
1437
for if_tag in document.getElementsByTagName("interface"):
1438
# Fix argument name for the GetManagedObjects method
1439
if (if_tag.getAttribute("name")
1440
== dbus.OBJECT_MANAGER_IFACE):
1441
for cn in if_tag.getElementsByTagName("method"):
1442
if (cn.getAttribute("name")
1443
== "GetManagedObjects"):
1444
for arg in cn.getElementsByTagName("arg"):
1445
if (arg.getAttribute("direction")
1446
== "out"):
1447
arg.setAttribute(
1448
"name",
1449
"objpath_interfaces"
1450
"_and_properties")
1451
xmlstring = document.toxml("utf-8")
1452
document.unlink()
1453
except (AttributeError, xml.dom.DOMException,
1454
xml.parsers.expat.ExpatError) as error:
1455
logger.error("Failed to override Introspection method",
1456
exc_info = error)
1457
return xmlstring
1458
1459
def datetime_to_dbus(dt, variant_level=0):
837
1460
"""Convert a UTC datetime.datetime() to a D-Bus type."""
838
1461
if dt is None:
839
1462
return dbus.String("", variant_level = variant_level)
840
return dbus.String(dt.isoformat(),
841
variant_level=variant_level)
842
843
class AlternateDBusNamesMetaclass(DBusObjectWithProperties
844
.__metaclass__):
845
"""Applied to an empty subclass of a D-Bus object, this metaclass
846
will add additional D-Bus attributes matching a certain pattern.
1463
return dbus.String(dt.isoformat(), variant_level=variant_level)
1464
1465
1466
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1467
"""A class decorator; applied to a subclass of
1468
dbus.service.Object, it will add alternate D-Bus attributes with
1469
interface names according to the "alt_interface_names" mapping.
1470
Usage:
1471
1472
@alternate_dbus_interfaces({"org.example.Interface":
1473
"net.example.AlternateInterface"})
1474
class SampleDBusObject(dbus.service.Object):
1475
@dbus.service.method("org.example.Interface")
1476
def SampleDBusMethod():
1477
pass
1478
1479
The above "SampleDBusMethod" on "SampleDBusObject" will be
1480
reachable via two interfaces: "org.example.Interface" and
1481
"net.example.AlternateInterface", the latter of which will have
1482
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1483
"true", unless "deprecate" is passed with a False value.
1484
1485
This works for methods and signals, and also for D-Bus properties
1486
(from DBusObjectWithProperties) and interfaces (from the
1487
dbus_interface_annotations decorator).
847
1488
"""
848
def __new__(mcs, name, bases, attr):
849
# Go through all the base classes which could have D-Bus
850
# methods, signals, or properties in them
851
for base in (b for b in bases
852
if issubclass(b, dbus.service.Object)):
853
# Go though all attributes of the base class
854
for attrname, attribute in inspect.getmembers(base):
1489
1490
def wrapper(cls):
1491
for orig_interface_name, alt_interface_name in (
1492
alt_interface_names.items()):
1493
attr = {}
1494
interface_names = set()
1495
# Go though all attributes of the class
1496
for attrname, attribute in inspect.getmembers(cls):
855
1497
# Ignore non-D-Bus attributes, and D-Bus attributes
856
1498
# with the wrong interface name
857
1499
if (not hasattr(attribute, "_dbus_interface")
858
or not attribute._dbus_interface
859
.startswith("se.recompile.Mandos")):
1500
or not attribute._dbus_interface.startswith(
1501
orig_interface_name)):
860
1502
continue
861
1503
# Create an alternate D-Bus interface name based on
862
1504
# the current name
863
alt_interface = (attribute._dbus_interface
864
.replace("se.recompile.Mandos",
865
"se.bsnet.fukt.Mandos"))
1505
alt_interface = attribute._dbus_interface.replace(
1506
orig_interface_name, alt_interface_name)
1507
interface_names.add(alt_interface)
866
1508
# Is this a D-Bus signal?
867
1509
if getattr(attribute, "_dbus_is_signal", False):
868
# Extract the original non-method function by
869
# black magic
870
nonmethod_func = (dict(
1510
if sys.version_info.major == 2:
1511
# Extract the original non-method undecorated
1512
# function by black magic
1513
nonmethod_func = (dict(
871
1514
zip(attribute.func_code.co_freevars,
872
attribute.__closure__))["func"]
873
.cell_contents)
1515
attribute.__closure__))
1516
["func"].cell_contents)
1517
else:
1518
nonmethod_func = attribute
874
1519
# Create a new, but exactly alike, function
875
1520
# object, and decorate it to be a new D-Bus signal
876
1521
# with the alternate D-Bus interface name
877
new_function = (dbus.service.signal
878
(alt_interface,
879
attribute._dbus_signature)
880
(types.FunctionType(
881
nonmethod_func.func_code,
882
nonmethod_func.func_globals,
883
nonmethod_func.func_name,
884
nonmethod_func.func_defaults,
885
nonmethod_func.func_closure)))
1522
if sys.version_info.major == 2:
1523
new_function = types.FunctionType(
1524
nonmethod_func.func_code,
1525
nonmethod_func.func_globals,
1526
nonmethod_func.func_name,
1527
nonmethod_func.func_defaults,
1528
nonmethod_func.func_closure)
1529
else:
1530
new_function = types.FunctionType(
1531
nonmethod_func.__code__,
1532
nonmethod_func.__globals__,
1533
nonmethod_func.__name__,
1534
nonmethod_func.__defaults__,
1535
nonmethod_func.__closure__)
1536
new_function = (dbus.service.signal(
1537
alt_interface,
1538
attribute._dbus_signature)(new_function))
1539
# Copy annotations, if any
1540
try:
1541
new_function._dbus_annotations = dict(
1542
attribute._dbus_annotations)
1543
except AttributeError:
1544
pass
886
1545
# Define a creator of a function to call both the
887
# old and new functions, so both the old and new
888
# signals gets sent when the function is called
1546
# original and alternate functions, so both the
1547
# original and alternate signals gets sent when
1548
# the function is called
889
1549
def fixscope(func1, func2):
890
1550
"""This function is a scope container to pass
891
1551
func1 and func2 to the "call_both" function
892
1552
outside of its arguments"""
1553
1554
@functools.wraps(func2)
893
1555
def call_both(*args, **kwargs):
894
1556
"""This function will emit two D-Bus
895
1557
signals by calling func1 and func2"""
896
1558
func1(*args, **kwargs)
897
1559
func2(*args, **kwargs)
1560
# Make wrapper function look like a D-Bus signal
1561
for name, attr in inspect.getmembers(func2):
1562
if name.startswith("_dbus_"):
1563
setattr(call_both, name, attr)
1564
898
1565
return call_both
899
1566
# Create the "call_both" function and add it to
900
1567
# the class
901
attr[attrname] = fixscope(attribute,
902
new_function)
1568
attr[attrname] = fixscope(attribute, new_function)
903
1569
# Is this a D-Bus method?
904
1570
elif getattr(attribute, "_dbus_is_method", False):
905
1571
# Create a new, but exactly alike, function
906
1572
# object. Decorate it to be a new D-Bus method
907
1573
# with the alternate D-Bus interface name. Add it
908
1574
# to the class.
909
attr[attrname] = (dbus.service.method
910
(alt_interface,
911
attribute._dbus_in_signature,
912
attribute._dbus_out_signature)
913
(types.FunctionType
914
(attribute.func_code,
915
attribute.func_globals,
916
attribute.func_name,
917
attribute.func_defaults,
918
attribute.func_closure)))
1575
attr[attrname] = (
1576
dbus.service.method(
1577
alt_interface,
1578
attribute._dbus_in_signature,
1579
attribute._dbus_out_signature)
1580
(types.FunctionType(attribute.func_code,
1581
attribute.func_globals,
1582
attribute.func_name,
1583
attribute.func_defaults,
1584
attribute.func_closure)))
1585
# Copy annotations, if any
1586
try:
1587
attr[attrname]._dbus_annotations = dict(
1588
attribute._dbus_annotations)
1589
except AttributeError:
1590
pass
919
1591
# Is this a D-Bus property?
920
1592
elif getattr(attribute, "_dbus_is_property", False):
921
1593
# Create a new, but exactly alike, function
922
1594
# object, and decorate it to be a new D-Bus
923
1595
# property with the alternate D-Bus interface
924
1596
# name. Add it to the class.
925
attr[attrname] = (dbus_service_property
926
(alt_interface,
927
attribute._dbus_signature,
928
attribute._dbus_access,
929
attribute
930
._dbus_get_args_options
931
["byte_arrays"])
932
(types.FunctionType
933
(attribute.func_code,
934
attribute.func_globals,
935
attribute.func_name,
936
attribute.func_defaults,
937
attribute.func_closure)))
938
return type.__new__(mcs, name, bases, attr)
939
1597
attr[attrname] = (dbus_service_property(
1598
alt_interface, attribute._dbus_signature,
1599
attribute._dbus_access,
1600
attribute._dbus_get_args_options
1601
["byte_arrays"])
1602
(types.FunctionType(
1603
attribute.func_code,
1604
attribute.func_globals,
1605
attribute.func_name,
1606
attribute.func_defaults,
1607
attribute.func_closure)))
1608
# Copy annotations, if any
1609
try:
1610
attr[attrname]._dbus_annotations = dict(
1611
attribute._dbus_annotations)
1612
except AttributeError:
1613
pass
1614
# Is this a D-Bus interface?
1615
elif getattr(attribute, "_dbus_is_interface", False):
1616
# Create a new, but exactly alike, function
1617
# object. Decorate it to be a new D-Bus interface
1618
# with the alternate D-Bus interface name. Add it
1619
# to the class.
1620
attr[attrname] = (
1621
dbus_interface_annotations(alt_interface)
1622
(types.FunctionType(attribute.func_code,
1623
attribute.func_globals,
1624
attribute.func_name,
1625
attribute.func_defaults,
1626
attribute.func_closure)))
1627
if deprecate:
1628
# Deprecate all alternate interfaces
1629
iname="_AlternateDBusNames_interface_annotation{}"
1630
for interface_name in interface_names:
1631
1632
@dbus_interface_annotations(interface_name)
1633
def func(self):
1634
return { "org.freedesktop.DBus.Deprecated":
1635
"true" }
1636
# Find an unused name
1637
for aname in (iname.format(i)
1638
for i in itertools.count()):
1639
if aname not in attr:
1640
attr[aname] = func
1641
break
1642
if interface_names:
1643
# Replace the class with a new subclass of it with
1644
# methods, signals, etc. as created above.
1645
cls = type(b"{}Alternate".format(cls.__name__),
1646
(cls, ), attr)
1647
return cls
1648
1649
return wrapper
1650
1651
1652
@alternate_dbus_interfaces({"se.recompile.Mandos":
1653
"se.bsnet.fukt.Mandos"})
940
1654
class ClientDBus(Client, DBusObjectWithProperties):
941
1655
"""A Client class using D-Bus
942
1656
946
1660
"""
947
1661
948
1662
runtime_expansions = (Client.runtime_expansions
949
+ ("dbus_object_path",))
1663
+ ("dbus_object_path", ))
1664
1665
_interface = "se.recompile.Mandos.Client"
950
1666
951
1667
# dbus.service.Object doesn't use super(), so we can't either.
952
1668
953
1669
def __init__(self, bus = None, *args, **kwargs):
954
1670
self.bus = bus
955
self._approvals_pending = 0
956
1671
Client.__init__(self, *args, **kwargs)
957
self.add_to_dbus()
958
959
def add_to_dbus(self):
960
1672
# Only now, when this client is initialized, can it show up on
961
1673
# the D-Bus
962
client_object_name = unicode(self.name).translate(
1674
client_object_name = str(self.name).translate(
963
1675
{ord("."): ord("_"),
964
1676
ord("-"): ord("_")})
965
self.dbus_object_path = (dbus.ObjectPath
966
("/clients/" + client_object_name))
1677
self.dbus_object_path = dbus.ObjectPath(
1678
"/clients/" + client_object_name)
967
1679
DBusObjectWithProperties.__init__(self, self.bus,
968
1680
self.dbus_object_path)
969
970
def notifychangeproperty(transform_func,
971
dbus_name, type_func=lambda x: x,
972
variant_level=1):
1681
1682
def notifychangeproperty(transform_func, dbus_name,
1683
type_func=lambda x: x,
1684
variant_level=1,
1685
invalidate_only=False,
1686
_interface=_interface):
973
1687
""" Modify a variable so that it's a property which announces
974
1688
its changes to DBus.
975
1689
976
1690
transform_fun: Function that takes a value and a variant_level
977
1691
and transforms it to a D-Bus type.
978
1692
dbus_name: D-Bus name of the variable
980
1694
to the D-Bus. Default: no transform
981
1695
variant_level: D-Bus variant level. Default: 1
982
1696
"""
983
attrname = "_{0}".format(dbus_name)
1697
attrname = "_{}".format(dbus_name)
1698
984
1699
def setter(self, value):
985
1700
if hasattr(self, "dbus_object_path"):
986
1701
if (not hasattr(self, attrname) or
987
1702
type_func(getattr(self, attrname, None))
988
1703
!= type_func(value)):
989
dbus_value = transform_func(type_func(value),
990
variant_level
991
=variant_level)
992
self.PropertyChanged(dbus.String(dbus_name),
993
dbus_value)
1704
if invalidate_only:
1705
self.PropertiesChanged(
1706
_interface, dbus.Dictionary(),
1707
dbus.Array((dbus_name, )))
1708
else:
1709
dbus_value = transform_func(
1710
type_func(value),
1711
variant_level = variant_level)
1712
self.PropertyChanged(dbus.String(dbus_name),
1713
dbus_value)
1714
self.PropertiesChanged(
1715
_interface,
1716
dbus.Dictionary({ dbus.String(dbus_name):
1717
dbus_value }),
1718
dbus.Array())
994
1719
setattr(self, attrname, value)
995
1720
996
1721
return property(lambda self: getattr(self, attrname), setter)
997
1722
998
999
1723
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1000
1724
approvals_pending = notifychangeproperty(dbus.Boolean,
1001
1725
"ApprovalPending",
1003
1727
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1004
1728
last_enabled = notifychangeproperty(datetime_to_dbus,
1005
1729
"LastEnabled")
1006
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1007
type_func = lambda checker:
1008
checker is not None)
1730
checker = notifychangeproperty(
1731
dbus.Boolean, "CheckerRunning",
1732
type_func = lambda checker: checker is not None)
1009
1733
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1010
1734
"LastCheckedOK")
1735
last_checker_status = notifychangeproperty(dbus.Int16,
1736
"LastCheckerStatus")
1011
1737
last_approval_request = notifychangeproperty(
1012
1738
datetime_to_dbus, "LastApprovalRequest")
1013
1739
approved_by_default = notifychangeproperty(dbus.Boolean,
1014
1740
"ApprovedByDefault")
1015
approval_delay = notifychangeproperty(dbus.UInt16,
1016
"ApprovalDelay",
1017
type_func =
1018
_timedelta_to_milliseconds)
1741
approval_delay = notifychangeproperty(
1742
dbus.UInt64, "ApprovalDelay",
1743
type_func = lambda td: td.total_seconds() * 1000)
1019
1744
approval_duration = notifychangeproperty(
1020
dbus.UInt16, "ApprovalDuration",
1021
type_func = _timedelta_to_milliseconds)
1745
dbus.UInt64, "ApprovalDuration",
1746
type_func = lambda td: td.total_seconds() * 1000)
1022
1747
host = notifychangeproperty(dbus.String, "Host")
1023
timeout = notifychangeproperty(dbus.UInt16, "Timeout",
1024
type_func =
1025
_timedelta_to_milliseconds)
1748
timeout = notifychangeproperty(
1749
dbus.UInt64, "Timeout",
1750
type_func = lambda td: td.total_seconds() * 1000)
1026
1751
extended_timeout = notifychangeproperty(
1027
dbus.UInt16, "ExtendedTimeout",
1028
type_func = _timedelta_to_milliseconds)
1029
interval = notifychangeproperty(dbus.UInt16,
1030
"Interval",
1031
type_func =
1032
_timedelta_to_milliseconds)
1752
dbus.UInt64, "ExtendedTimeout",
1753
type_func = lambda td: td.total_seconds() * 1000)
1754
interval = notifychangeproperty(
1755
dbus.UInt64, "Interval",
1756
type_func = lambda td: td.total_seconds() * 1000)
1033
1757
checker_command = notifychangeproperty(dbus.String, "Checker")
1758
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1759
invalidate_only=True)
1034
1760
1035
1761
del notifychangeproperty
1036
1762
1043
1769
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1044
1770
Client.__del__(self, *args, **kwargs)
1045
1771
1046
def checker_callback(self, pid, condition, command,
1047
*args, **kwargs):
1048
self.checker_callback_tag = None
1049
self.checker = None
1050
if os.WIFEXITED(condition):
1051
exitstatus = os.WEXITSTATUS(condition)
1772
def checker_callback(self, source, condition,
1773
connection, command, *args, **kwargs):
1774
ret = Client.checker_callback(self, source, condition,
1775
connection, command, *args,
1776
**kwargs)
1777
exitstatus = self.last_checker_status
1778
if exitstatus >= 0:
1052
1779
# Emit D-Bus signal
1053
1780
self.CheckerCompleted(dbus.Int16(exitstatus),
1054
dbus.Int64(condition),
1781
# This is specific to GNU libC
1782
dbus.Int64(exitstatus << 8),
1055
1783
dbus.String(command))
1056
1784
else:
1057
1785
# Emit D-Bus signal
1058
1786
self.CheckerCompleted(dbus.Int16(-1),
1059
dbus.Int64(condition),
1787
dbus.Int64(
1788
# This is specific to GNU libC
1789
(exitstatus << 8)
1790
| self.last_checker_signal),
1060
1791
dbus.String(command))
1061
1062
return Client.checker_callback(self, pid, condition, command,
1063
*args, **kwargs)
1792
return ret
1064
1793
1065
1794
def start_checker(self, *args, **kwargs):
1066
old_checker = self.checker
1067
if self.checker is not None:
1068
old_checker_pid = self.checker.pid
1069
else:
1070
old_checker_pid = None
1795
old_checker_pid = getattr(self.checker, "pid", None)
1071
1796
r = Client.start_checker(self, *args, **kwargs)
1072
1797
# Only if new checker process was started
1073
1798
if (self.checker is not None
1077
1802
return r
1078
1803
1079
1804
def _reset_approved(self):
1080
self._approved = None
1805
self.approved = None
1081
1806
return False
1082
1807
1083
1808
def approve(self, value=True):
1809
self.approved = value
1810
GObject.timeout_add(int(self.approval_duration.total_seconds()
1811
* 1000), self._reset_approved)
1084
1812
self.send_changedstate()
1085
self._approved = value
1086
gobject.timeout_add(_timedelta_to_milliseconds
1087
(self.approval_duration),
1088
self._reset_approved)
1089
1090
1813
1091
1814
## D-Bus methods, signals & properties
1092
_interface = "se.recompile.Mandos.Client"
1815
1816
## Interfaces
1093
1817
1094
1818
## Signals
1095
1819
1106
1830
pass
1107
1831
1108
1832
# PropertyChanged - signal
1833
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1109
1834
@dbus.service.signal(_interface, signature="sv")
1110
1835
def PropertyChanged(self, property, value):
1111
1836
"D-Bus signal"
1145
1870
self.checked_ok()
1146
1871
1147
1872
# Enable - method
1873
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1148
1874
@dbus.service.method(_interface)
1149
1875
def Enable(self):
1150
1876
"D-Bus method"
1151
1877
self.enable()
1152
1878
1153
1879
# StartChecker - method
1880
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1154
1881
@dbus.service.method(_interface)
1155
1882
def StartChecker(self):
1156
1883
"D-Bus method"
1157
1884
self.start_checker()
1158
1885
1159
1886
# Disable - method
1887
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1160
1888
@dbus.service.method(_interface)
1161
1889
def Disable(self):
1162
1890
"D-Bus method"
1163
1891
self.disable()
1164
1892
1165
1893
# StopChecker - method
1894
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1166
1895
@dbus.service.method(_interface)
1167
1896
def StopChecker(self):
1168
1897
self.stop_checker()
1175
1904
return dbus.Boolean(bool(self.approvals_pending))
1176
1905
1177
1906
# ApprovedByDefault - property
1178
@dbus_service_property(_interface, signature="b",
1907
@dbus_service_property(_interface,
1908
signature="b",
1179
1909
access="readwrite")
1180
1910
def ApprovedByDefault_dbus_property(self, value=None):
1181
1911
if value is None: # get
1183
1913
self.approved_by_default = bool(value)
1184
1914
1185
1915
# ApprovalDelay - property
1186
@dbus_service_property(_interface, signature="t",
1916
@dbus_service_property(_interface,
1917
signature="t",
1187
1918
access="readwrite")
1188
1919
def ApprovalDelay_dbus_property(self, value=None):
1189
1920
if value is None: # get
1190
return dbus.UInt64(self.approval_delay_milliseconds())
1921
return dbus.UInt64(self.approval_delay.total_seconds()
1922
* 1000)
1191
1923
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1192
1924
1193
1925
# ApprovalDuration - property
1194
@dbus_service_property(_interface, signature="t",
1926
@dbus_service_property(_interface,
1927
signature="t",
1195
1928
access="readwrite")
1196
1929
def ApprovalDuration_dbus_property(self, value=None):
1197
1930
if value is None: # get
1198
return dbus.UInt64(_timedelta_to_milliseconds(
1199
self.approval_duration))
1931
return dbus.UInt64(self.approval_duration.total_seconds()
1932
* 1000)
1200
1933
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1201
1934
1202
1935
# Name - property
1936
@dbus_annotations(
1937
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1203
1938
@dbus_service_property(_interface, signature="s", access="read")
1204
1939
def Name_dbus_property(self):
1205
1940
return dbus.String(self.name)
1206
1941
1207
1942
# Fingerprint - property
1943
@dbus_annotations(
1944
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1208
1945
@dbus_service_property(_interface, signature="s", access="read")
1209
1946
def Fingerprint_dbus_property(self):
1210
1947
return dbus.String(self.fingerprint)
1211
1948
1212
1949
# Host - property
1213
@dbus_service_property(_interface, signature="s",
1950
@dbus_service_property(_interface,
1951
signature="s",
1214
1952
access="readwrite")
1215
1953
def Host_dbus_property(self, value=None):
1216
1954
if value is None: # get
1217
1955
return dbus.String(self.host)
1218
self.host = value
1956
self.host = str(value)
1219
1957
1220
1958
# Created - property
1959
@dbus_annotations(
1960
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1221
1961
@dbus_service_property(_interface, signature="s", access="read")
1222
1962
def Created_dbus_property(self):
1223
return dbus.String(datetime_to_dbus(self.created))
1963
return datetime_to_dbus(self.created)
1224
1964
1225
1965
# LastEnabled - property
1226
1966
@dbus_service_property(_interface, signature="s", access="read")
1228
1968
return datetime_to_dbus(self.last_enabled)
1229
1969
1230
1970
# Enabled - property
1231
@dbus_service_property(_interface, signature="b",
1971
@dbus_service_property(_interface,
1972
signature="b",
1232
1973
access="readwrite")
1233
1974
def Enabled_dbus_property(self, value=None):
1234
1975
if value is None: # get
1239
1980
self.disable()
1240
1981
1241
1982
# LastCheckedOK - property
1242
@dbus_service_property(_interface, signature="s",
1983
@dbus_service_property(_interface,
1984
signature="s",
1243
1985
access="readwrite")
1244
1986
def LastCheckedOK_dbus_property(self, value=None):
1245
1987
if value is not None:
1247
1989
return
1248
1990
return datetime_to_dbus(self.last_checked_ok)
1249
1991
1992
# LastCheckerStatus - property
1993
@dbus_service_property(_interface, signature="n", access="read")
1994
def LastCheckerStatus_dbus_property(self):
1995
return dbus.Int16(self.last_checker_status)
1996
1250
1997
# Expires - property
1251
1998
@dbus_service_property(_interface, signature="s", access="read")
1252
1999
def Expires_dbus_property(self):
1258
2005
return datetime_to_dbus(self.last_approval_request)
1259
2006
1260
2007
# Timeout - property
1261
@dbus_service_property(_interface, signature="t",
2008
@dbus_service_property(_interface,
2009
signature="t",
1262
2010
access="readwrite")
1263
2011
def Timeout_dbus_property(self, value=None):
1264
2012
if value is None: # get
1265
return dbus.UInt64(self.timeout_milliseconds())
2013
return dbus.UInt64(self.timeout.total_seconds() * 1000)
2014
old_timeout = self.timeout
1266
2015
self.timeout = datetime.timedelta(0, 0, 0, value)
1267
if getattr(self, "disable_initiator_tag", None) is None:
1268
return
1269
# Reschedule timeout
1270
gobject.source_remove(self.disable_initiator_tag)
1271
self.disable_initiator_tag = None
1272
self.expires = None
1273
time_to_die = _timedelta_to_milliseconds((self
1274
.last_checked_ok
1275
+ self.timeout)
1276
- datetime.datetime
1277
.utcnow())
1278
if time_to_die <= 0:
1279
# The timeout has passed
1280
self.disable()
1281
else:
1282
self.expires = (datetime.datetime.utcnow()
1283
+ datetime.timedelta(milliseconds =
1284
time_to_die))
1285
self.disable_initiator_tag = (gobject.timeout_add
1286
(time_to_die, self.disable))
2016
# Reschedule disabling
2017
if self.enabled:
2018
now = datetime.datetime.utcnow()
2019
self.expires += self.timeout - old_timeout
2020
if self.expires <= now:
2021
# The timeout has passed
2022
self.disable()
2023
else:
2024
if (getattr(self, "disable_initiator_tag", None)
2025
is None):
2026
return
2027
GObject.source_remove(self.disable_initiator_tag)
2028
self.disable_initiator_tag = GObject.timeout_add(
2029
int((self.expires - now).total_seconds() * 1000),
2030
self.disable)
1287
2031
1288
2032
# ExtendedTimeout - property
1289
@dbus_service_property(_interface, signature="t",
2033
@dbus_service_property(_interface,
2034
signature="t",
1290
2035
access="readwrite")
1291
2036
def ExtendedTimeout_dbus_property(self, value=None):
1292
2037
if value is None: # get
1293
return dbus.UInt64(self.extended_timeout_milliseconds())
2038
return dbus.UInt64(self.extended_timeout.total_seconds()
2039
* 1000)
1294
2040
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1295
2041
1296
2042
# Interval - property
1297
@dbus_service_property(_interface, signature="t",
2043
@dbus_service_property(_interface,
2044
signature="t",
1298
2045
access="readwrite")
1299
2046
def Interval_dbus_property(self, value=None):
1300
2047
if value is None: # get
1301
return dbus.UInt64(self.interval_milliseconds())
2048
return dbus.UInt64(self.interval.total_seconds() * 1000)
1302
2049
self.interval = datetime.timedelta(0, 0, 0, value)
1303
2050
if getattr(self, "checker_initiator_tag", None) is None:
1304
2051
return
1305
# Reschedule checker run
1306
gobject.source_remove(self.checker_initiator_tag)
1307
self.checker_initiator_tag = (gobject.timeout_add
1308
(value, self.start_checker))
1309
self.start_checker() # Start one now, too
2052
if self.enabled:
2053
# Reschedule checker run
2054
GObject.source_remove(self.checker_initiator_tag)
2055
self.checker_initiator_tag = GObject.timeout_add(
2056
value, self.start_checker)
2057
self.start_checker() # Start one now, too
1310
2058
1311
2059
# Checker - property
1312
@dbus_service_property(_interface, signature="s",
2060
@dbus_service_property(_interface,
2061
signature="s",
1313
2062
access="readwrite")
1314
2063
def Checker_dbus_property(self, value=None):
1315
2064
if value is None: # get
1316
2065
return dbus.String(self.checker_command)
1317
self.checker_command = value
2066
self.checker_command = str(value)
1318
2067
1319
2068
# CheckerRunning - property
1320
@dbus_service_property(_interface, signature="b",
2069
@dbus_service_property(_interface,
2070
signature="b",
1321
2071
access="readwrite")
1322
2072
def CheckerRunning_dbus_property(self, value=None):
1323
2073
if value is None: # get
1328
2078
self.stop_checker()
1329
2079
1330
2080
# ObjectPath - property
2081
@dbus_annotations(
2082
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2083
"org.freedesktop.DBus.Deprecated": "true"})
1331
2084
@dbus_service_property(_interface, signature="o", access="read")
1332
2085
def ObjectPath_dbus_property(self):
1333
2086
return self.dbus_object_path # is already a dbus.ObjectPath
1334
2087
1335
2088
# Secret = property
1336
@dbus_service_property(_interface, signature="ay",
1337
access="write", byte_arrays=True)
2089
@dbus_annotations(
2090
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2091
"invalidates"})
2092
@dbus_service_property(_interface,
2093
signature="ay",
2094
access="write",
2095
byte_arrays=True)
1338
2096
def Secret_dbus_property(self, value):
1339
self.secret = str(value)
2097
self.secret = bytes(value)
1340
2098
1341
2099
del _interface
1342
2100
1346
2104
self._pipe = child_pipe
1347
2105
self._pipe.send(('init', fpr, address))
1348
2106
if not self._pipe.recv():
1349
raise KeyError()
2107
raise KeyError(fpr)
1350
2108
1351
2109
def __getattribute__(self, name):
1352
if(name == '_pipe'):
2110
if name == '_pipe':
1353
2111
return super(ProxyClient, self).__getattribute__(name)
1354
2112
self._pipe.send(('getattr', name))
1355
2113
data = self._pipe.recv()
1356
2114
if data[0] == 'data':
1357
2115
return data[1]
1358
2116
if data[0] == 'function':
2117
1359
2118
def func(*args, **kwargs):
1360
2119
self._pipe.send(('funcall', name, args, kwargs))
1361
2120
return self._pipe.recv()[1]
2121
1362
2122
return func
1363
2123
1364
2124
def __setattr__(self, name, value):
1365
if(name == '_pipe'):
2125
if name == '_pipe':
1366
2126
return super(ProxyClient, self).__setattr__(name, value)
1367
2127
self._pipe.send(('setattr', name, value))
1368
2128
1369
class ClientDBusTransitional(ClientDBus):
1370
__metaclass__ = AlternateDBusNamesMetaclass
1371
2129
1372
2130
class ClientHandler(socketserver.BaseRequestHandler, object):
1373
2131
"""A class to handle client connections.
1378
2136
def handle(self):
1379
2137
with contextlib.closing(self.server.child_pipe) as child_pipe:
1380
2138
logger.info("TCP connection from: %s",
1381
unicode(self.client_address))
2139
str(self.client_address))
1382
2140
logger.debug("Pipe FD: %d",
1383
2141
self.server.child_pipe.fileno())
1384
2142
1385
session = (gnutls.connection
1386
.ClientSession(self.request,
1387
gnutls.connection
1388
.X509Credentials()))
1389
1390
# Note: gnutls.connection.X509Credentials is really a
1391
# generic GnuTLS certificate credentials object so long as
1392
# no X.509 keys are added to it. Therefore, we can use it
1393
# here despite using OpenPGP certificates.
2143
session = gnutls.ClientSession(self.request)
1394
2144
1395
2145
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1396
2146
# "+AES-256-CBC", "+SHA1",
1400
2150
priority = self.server.gnutls_priority
1401
2151
if priority is None:
1402
2152
priority = "NORMAL"
1403
(gnutls.library.functions
1404
.gnutls_priority_set_direct(session._c_object,
1405
priority, None))
2153
gnutls.priority_set_direct(session._c_object, priority,
2154
None)
1406
2155
1407
2156
# Start communication using the Mandos protocol
1408
2157
# Get protocol number
1410
2159
logger.debug("Protocol version: %r", line)
1411
2160
try:
1412
2161
if int(line.strip().split()[0]) > 1:
1413
raise RuntimeError
2162
raise RuntimeError(line)
1414
2163
except (ValueError, IndexError, RuntimeError) as error:
1415
2164
logger.error("Unknown protocol version: %s", error)
1416
2165
return
1418
2167
# Start GnuTLS connection
1419
2168
try:
1420
2169
session.handshake()
1421
except gnutls.errors.GNUTLSError as error:
2170
except gnutls.Error as error:
1422
2171
logger.warning("Handshake failed: %s", error)
1423
2172
# Do not run session.bye() here: the session is not
1424
2173
# established. Just abandon the request.
1428
2177
approval_required = False
1429
2178
try:
1430
2179
try:
1431
fpr = self.fingerprint(self.peer_certificate
1432
(session))
1433
except (TypeError,
1434
gnutls.errors.GNUTLSError) as error:
2180
fpr = self.fingerprint(
2181
self.peer_certificate(session))
2182
except (TypeError, gnutls.Error) as error:
1435
2183
logger.warning("Bad certificate: %s", error)
1436
2184
return
1437
2185
logger.debug("Fingerprint: %s", fpr)
1450
2198
while True:
1451
2199
if not client.enabled:
1452
2200
logger.info("Client %s is disabled",
1453
client.name)
2201
client.name)
1454
2202
if self.server.use_dbus:
1455
2203
# Emit D-Bus signal
1456
2204
client.Rejected("Disabled")
1457
2205
return
1458
2206
1459
if client._approved or not client.approval_delay:
2207
if client.approved or not client.approval_delay:
1460
2208
#We are approved or approval is disabled
1461
2209
break
1462
elif client._approved is None:
2210
elif client.approved is None:
1463
2211
logger.info("Client %s needs approval",
1464
2212
client.name)
1465
2213
if self.server.use_dbus:
1466
2214
# Emit D-Bus signal
1467
2215
client.NeedApproval(
1468
client.approval_delay_milliseconds(),
1469
client.approved_by_default)
2216
client.approval_delay.total_seconds()
2217
* 1000, client.approved_by_default)
1470
2218
else:
1471
2219
logger.warning("Client %s was not approved",
1472
2220
client.name)
1478
2226
#wait until timeout or approved
1479
2227
time = datetime.datetime.now()
1480
2228
client.changedstate.acquire()
1481
(client.changedstate.wait
1482
(float(client._timedelta_to_milliseconds(delay)
1483
/ 1000)))
2229
client.changedstate.wait(delay.total_seconds())
1484
2230
client.changedstate.release()
1485
2231
time2 = datetime.datetime.now()
1486
2232
if (time2 - time) >= delay:
1497
2243
else:
1498
2244
delay -= time2 - time
1499
2245
1500
sent_size = 0
1501
while sent_size < len(client.secret):
1502
try:
1503
sent = session.send(client.secret[sent_size:])
1504
except gnutls.errors.GNUTLSError as error:
1505
logger.warning("gnutls send failed")
1506
return
1507
logger.debug("Sent: %d, remaining: %d",
1508
sent, len(client.secret)
1509
- (sent_size + sent))
1510
sent_size += sent
2246
try:
2247
session.send(client.secret)
2248
except gnutls.Error as error:
2249
logger.warning("gnutls send failed",
2250
exc_info = error)
2251
return
1511
2252
1512
2253
logger.info("Sending secret to %s", client.name)
1513
2254
# bump the timeout using extended_timeout
1514
client.checked_ok(client.extended_timeout)
2255
client.bump_timeout(client.extended_timeout)
1515
2256
if self.server.use_dbus:
1516
2257
# Emit D-Bus signal
1517
2258
client.GotSecret()
1521
2262
client.approvals_pending -= 1
1522
2263
try:
1523
2264
session.bye()
1524
except gnutls.errors.GNUTLSError as error:
1525
logger.warning("GnuTLS bye failed")
2265
except gnutls.Error as error:
2266
logger.warning("GnuTLS bye failed",
2267
exc_info=error)
1526
2268
1527
2269
@staticmethod
1528
2270
def peer_certificate(session):
1529
2271
"Return the peer's OpenPGP certificate as a bytestring"
1530
2272
# If not an OpenPGP certificate...
1531
if (gnutls.library.functions
1532
.gnutls_certificate_type_get(session._c_object)
1533
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1534
# ...do the normal thing
1535
return session.peer_certificate
2273
if (gnutls.certificate_type_get(session._c_object)
2274
!= gnutls.CRT_OPENPGP):
2275
# ...return invalid data
2276
return b""
1536
2277
list_size = ctypes.c_uint(1)
1537
cert_list = (gnutls.library.functions
1538
.gnutls_certificate_get_peers
2278
cert_list = (gnutls.certificate_get_peers
1539
2279
(session._c_object, ctypes.byref(list_size)))
1540
2280
if not bool(cert_list) and list_size.value != 0:
1541
raise gnutls.errors.GNUTLSError("error getting peer"
1542
" certificate")
2281
raise gnutls.Error("error getting peer certificate")
1543
2282
if list_size.value == 0:
1544
2283
return None
1545
2284
cert = cert_list[0]
1549
2288
def fingerprint(openpgp):
1550
2289
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1551
2290
# New GnuTLS "datum" with the OpenPGP public key
1552
datum = (gnutls.library.types
1553
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1554
ctypes.POINTER
1555
(ctypes.c_ubyte)),
1556
ctypes.c_uint(len(openpgp))))
2291
datum = gnutls.datum_t(
2292
ctypes.cast(ctypes.c_char_p(openpgp),
2293
ctypes.POINTER(ctypes.c_ubyte)),
2294
ctypes.c_uint(len(openpgp)))
1557
2295
# New empty GnuTLS certificate
1558
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1559
(gnutls.library.functions
1560
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
2296
crt = gnutls.openpgp_crt_t()
2297
gnutls.openpgp_crt_init(ctypes.byref(crt))
1561
2298
# Import the OpenPGP public key into the certificate
1562
(gnutls.library.functions
1563
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1564
gnutls.library.constants
1565
.GNUTLS_OPENPGP_FMT_RAW))
2299
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2300
gnutls.OPENPGP_FMT_RAW)
1566
2301
# Verify the self signature in the key
1567
2302
crtverify = ctypes.c_uint()
1568
(gnutls.library.functions
1569
.gnutls_openpgp_crt_verify_self(crt, 0,
1570
ctypes.byref(crtverify)))
2303
gnutls.openpgp_crt_verify_self(crt, 0,
2304
ctypes.byref(crtverify))
1571
2305
if crtverify.value != 0:
1572
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1573
raise (gnutls.errors.CertificateSecurityError
1574
("Verify failed"))
2306
gnutls.openpgp_crt_deinit(crt)
2307
raise gnutls.CertificateSecurityError("Verify failed")
1575
2308
# New buffer for the fingerprint
1576
2309
buf = ctypes.create_string_buffer(20)
1577
2310
buf_len = ctypes.c_size_t()
1578
2311
# Get the fingerprint from the certificate into the buffer
1579
(gnutls.library.functions
1580
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1581
ctypes.byref(buf_len)))
2312
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2313
ctypes.byref(buf_len))
1582
2314
# Deinit the certificate
1583
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2315
gnutls.openpgp_crt_deinit(crt)
1584
2316
# Convert the buffer to a Python bytestring
1585
2317
fpr = ctypes.string_at(buf, buf_len.value)
1586
2318
# Convert the bytestring to hexadecimal notation
1587
hex_fpr = ''.join("%02X" % ord(char) for char in fpr)
2319
hex_fpr = binascii.hexlify(fpr).upper()
1588
2320
return hex_fpr
1589
2321
1590
2322
1591
2323
class MultiprocessingMixIn(object):
1592
2324
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2325
1593
2326
def sub_process_main(self, request, address):
1594
2327
try:
1595
2328
self.finish_request(request, address)
1596
except:
2329
except Exception:
1597
2330
self.handle_error(request, address)
1598
2331
self.close_request(request)
1599
2332
1600
2333
def process_request(self, request, address):
1601
2334
"""Start a new process to process the request."""
1602
2335
proc = multiprocessing.Process(target = self.sub_process_main,
1603
args = (request,
1604
address))
2336
args = (request, address))
1605
2337
proc.start()
1606
2338
return proc
1607
2339
1608
2340
1609
2341
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1610
2342
""" adds a pipe to the MixIn """
2343
1611
2344
def process_request(self, request, client_address):
1612
2345
"""Overrides and wraps the original process_request().
1613
2346
1622
2355
1623
2356
def add_pipe(self, parent_pipe, proc):
1624
2357
"""Dummy function; override as necessary"""
1625
raise NotImplementedError
2358
raise NotImplementedError()
1626
2359
1627
2360
1628
2361
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1634
2367
interface: None or a network interface name (string)
1635
2368
use_ipv6: Boolean; to use IPv6 or not
1636
2369
"""
2370
1637
2371
def __init__(self, server_address, RequestHandlerClass,
1638
interface=None, use_ipv6=True):
2372
interface=None,
2373
use_ipv6=True,
2374
socketfd=None):
2375
"""If socketfd is set, use that file descriptor instead of
2376
creating a new one with socket.socket().
2377
"""
1639
2378
self.interface = interface
1640
2379
if use_ipv6:
1641
2380
self.address_family = socket.AF_INET6
2381
if socketfd is not None:
2382
# Save the file descriptor
2383
self.socketfd = socketfd
2384
# Save the original socket.socket() function
2385
self.socket_socket = socket.socket
2386
# To implement --socket, we monkey patch socket.socket.
2387
#
2388
# (When socketserver.TCPServer is a new-style class, we
2389
# could make self.socket into a property instead of monkey
2390
# patching socket.socket.)
2391
#
2392
# Create a one-time-only replacement for socket.socket()
2393
@functools.wraps(socket.socket)
2394
def socket_wrapper(*args, **kwargs):
2395
# Restore original function so subsequent calls are
2396
# not affected.
2397
socket.socket = self.socket_socket
2398
del self.socket_socket
2399
# This time only, return a new socket object from the
2400
# saved file descriptor.
2401
return socket.fromfd(self.socketfd, *args, **kwargs)
2402
# Replace socket.socket() function with wrapper
2403
socket.socket = socket_wrapper
2404
# The socketserver.TCPServer.__init__ will call
2405
# socket.socket(), which might be our replacement,
2406
# socket_wrapper(), if socketfd was set.
1642
2407
socketserver.TCPServer.__init__(self, server_address,
1643
2408
RequestHandlerClass)
2409
1644
2410
def server_bind(self):
1645
2411
"""This overrides the normal server_bind() function
1646
2412
to bind to an interface if one was specified, and also NOT to
1652
2418
self.interface)
1653
2419
else:
1654
2420
try:
1655
self.socket.setsockopt(socket.SOL_SOCKET,
1656
SO_BINDTODEVICE,
1657
str(self.interface
1658
+ '\0'))
2421
self.socket.setsockopt(
2422
socket.SOL_SOCKET, SO_BINDTODEVICE,
2423
(self.interface + "\0").encode("utf-8"))
1659
2424
except socket.error as error:
1660
if error[0] == errno.EPERM:
1661
logger.error("No permission to"
1662
" bind to interface %s",
1663
self.interface)
1664
elif error[0] == errno.ENOPROTOOPT:
2425
if error.errno == errno.EPERM:
2426
logger.error("No permission to bind to"
2427
" interface %s", self.interface)
2428
elif error.errno == errno.ENOPROTOOPT:
1665
2429
logger.error("SO_BINDTODEVICE not available;"
1666
2430
" cannot bind to interface %s",
1667
2431
self.interface)
2432
elif error.errno == errno.ENODEV:
2433
logger.error("Interface %s does not exist,"
2434
" cannot bind", self.interface)
1668
2435
else:
1669
2436
raise
1670
2437
# Only bind(2) the socket if we really need to.
1673
2440
if self.address_family == socket.AF_INET6:
1674
2441
any_address = "::" # in6addr_any
1675
2442
else:
1676
any_address = socket.INADDR_ANY
2443
any_address = "0.0.0.0" # INADDR_ANY
1677
2444
self.server_address = (any_address,
1678
2445
self.server_address[1])
1679
2446
elif not self.server_address[1]:
1680
self.server_address = (self.server_address[0],
1681
0)
2447
self.server_address = (self.server_address[0], 0)
1682
2448
# if self.interface:
1683
2449
# self.server_address = (self.server_address[0],
1684
2450
# 0, # port
1696
2462
gnutls_priority GnuTLS priority string
1697
2463
use_dbus: Boolean; to emit D-Bus signals or not
1698
2464
1699
Assumes a gobject.MainLoop event loop.
2465
Assumes a GObject.MainLoop event loop.
1700
2466
"""
2467
1701
2468
def __init__(self, server_address, RequestHandlerClass,
1702
interface=None, use_ipv6=True, clients=None,
1703
gnutls_priority=None, use_dbus=True):
2469
interface=None,
2470
use_ipv6=True,
2471
clients=None,
2472
gnutls_priority=None,
2473
use_dbus=True,
2474
socketfd=None):
1704
2475
self.enabled = False
1705
2476
self.clients = clients
1706
2477
if self.clients is None:
1710
2481
IPv6_TCPServer.__init__(self, server_address,
1711
2482
RequestHandlerClass,
1712
2483
interface = interface,
1713
use_ipv6 = use_ipv6)
2484
use_ipv6 = use_ipv6,
2485
socketfd = socketfd)
2486
1714
2487
def server_activate(self):
1715
2488
if self.enabled:
1716
2489
return socketserver.TCPServer.server_activate(self)
1720
2493
1721
2494
def add_pipe(self, parent_pipe, proc):
1722
2495
# Call "handle_ipc" for both data and EOF events
1723
gobject.io_add_watch(parent_pipe.fileno(),
1724
gobject.IO_IN | gobject.IO_HUP,
1725
functools.partial(self.handle_ipc,
1726
parent_pipe =
1727
parent_pipe,
1728
proc = proc))
2496
GObject.io_add_watch(
2497
parent_pipe.fileno(),
2498
GObject.IO_IN | GObject.IO_HUP,
2499
functools.partial(self.handle_ipc,
2500
parent_pipe = parent_pipe,
2501
proc = proc))
1729
2502
1730
def handle_ipc(self, source, condition, parent_pipe=None,
1731
proc = None, client_object=None):
1732
condition_names = {
1733
gobject.IO_IN: "IN", # There is data to read.
1734
gobject.IO_OUT: "OUT", # Data can be written (without
1735
# blocking).
1736
gobject.IO_PRI: "PRI", # There is urgent data to read.
1737
gobject.IO_ERR: "ERR", # Error condition.
1738
gobject.IO_HUP: "HUP" # Hung up (the connection has been
1739
# broken, usually for pipes and
1740
# sockets).
1741
}
1742
conditions_string = ' | '.join(name
1743
for cond, name in
1744
condition_names.iteritems()
1745
if cond & condition)
2503
def handle_ipc(self, source, condition,
2504
parent_pipe=None,
2505
proc = None,
2506
client_object=None):
1746
2507
# error, or the other end of multiprocessing.Pipe has closed
1747
if condition & (gobject.IO_ERR | condition & gobject.IO_HUP):
2508
if condition & (GObject.IO_ERR | GObject.IO_HUP):
1748
2509
# Wait for other process to exit
1749
2510
proc.join()
1750
2511
return False
1771
2532
parent_pipe.send(False)
1772
2533
return False
1773
2534
1774
gobject.io_add_watch(parent_pipe.fileno(),
1775
gobject.IO_IN | gobject.IO_HUP,
1776
functools.partial(self.handle_ipc,
1777
parent_pipe =
1778
parent_pipe,
1779
proc = proc,
1780
client_object =
1781
client))
2535
GObject.io_add_watch(
2536
parent_pipe.fileno(),
2537
GObject.IO_IN | GObject.IO_HUP,
2538
functools.partial(self.handle_ipc,
2539
parent_pipe = parent_pipe,
2540
proc = proc,
2541
client_object = client))
1782
2542
parent_pipe.send(True)
1783
2543
# remove the old hook in favor of the new above hook on
1784
2544
# same fileno
1790
2550
1791
2551
parent_pipe.send(('data', getattr(client_object,
1792
2552
funcname)(*args,
1793
**kwargs)))
2553
**kwargs)))
1794
2554
1795
2555
if command == 'getattr':
1796
2556
attrname = request[1]
1797
if callable(client_object.__getattribute__(attrname)):
1798
parent_pipe.send(('function',))
2557
if isinstance(client_object.__getattribute__(attrname),
2558
collections.Callable):
2559
parent_pipe.send(('function', ))
1799
2560
else:
1800
parent_pipe.send(('data', client_object
1801
.__getattribute__(attrname)))
2561
parent_pipe.send((
2562
'data', client_object.__getattribute__(attrname)))
1802
2563
1803
2564
if command == 'setattr':
1804
2565
attrname = request[1]
1808
2569
return True
1809
2570
1810
2571
2572
def rfc3339_duration_to_delta(duration):
2573
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2574
2575
>>> rfc3339_duration_to_delta("P7D")
2576
datetime.timedelta(7)
2577
>>> rfc3339_duration_to_delta("PT60S")
2578
datetime.timedelta(0, 60)
2579
>>> rfc3339_duration_to_delta("PT60M")
2580
datetime.timedelta(0, 3600)
2581
>>> rfc3339_duration_to_delta("PT24H")
2582
datetime.timedelta(1)
2583
>>> rfc3339_duration_to_delta("P1W")
2584
datetime.timedelta(7)
2585
>>> rfc3339_duration_to_delta("PT5M30S")
2586
datetime.timedelta(0, 330)
2587
>>> rfc3339_duration_to_delta("P1DT3M20S")
2588
datetime.timedelta(1, 200)
2589
"""
2590
2591
# Parsing an RFC 3339 duration with regular expressions is not
2592
# possible - there would have to be multiple places for the same
2593
# values, like seconds. The current code, while more esoteric, is
2594
# cleaner without depending on a parsing library. If Python had a
2595
# built-in library for parsing we would use it, but we'd like to
2596
# avoid excessive use of external libraries.
2597
2598
# New type for defining tokens, syntax, and semantics all-in-one
2599
Token = collections.namedtuple("Token", (
2600
"regexp", # To match token; if "value" is not None, must have
2601
# a "group" containing digits
2602
"value", # datetime.timedelta or None
2603
"followers")) # Tokens valid after this token
2604
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2605
# the "duration" ABNF definition in RFC 3339, Appendix A.
2606
token_end = Token(re.compile(r"$"), None, frozenset())
2607
token_second = Token(re.compile(r"(\d+)S"),
2608
datetime.timedelta(seconds=1),
2609
frozenset((token_end, )))
2610
token_minute = Token(re.compile(r"(\d+)M"),
2611
datetime.timedelta(minutes=1),
2612
frozenset((token_second, token_end)))
2613
token_hour = Token(re.compile(r"(\d+)H"),
2614
datetime.timedelta(hours=1),
2615
frozenset((token_minute, token_end)))
2616
token_time = Token(re.compile(r"T"),
2617
None,
2618
frozenset((token_hour, token_minute,
2619
token_second)))
2620
token_day = Token(re.compile(r"(\d+)D"),
2621
datetime.timedelta(days=1),
2622
frozenset((token_time, token_end)))
2623
token_month = Token(re.compile(r"(\d+)M"),
2624
datetime.timedelta(weeks=4),
2625
frozenset((token_day, token_end)))
2626
token_year = Token(re.compile(r"(\d+)Y"),
2627
datetime.timedelta(weeks=52),
2628
frozenset((token_month, token_end)))
2629
token_week = Token(re.compile(r"(\d+)W"),
2630
datetime.timedelta(weeks=1),
2631
frozenset((token_end, )))
2632
token_duration = Token(re.compile(r"P"), None,
2633
frozenset((token_year, token_month,
2634
token_day, token_time,
2635
token_week)))
2636
# Define starting values
2637
value = datetime.timedelta() # Value so far
2638
found_token = None
2639
followers = frozenset((token_duration, )) # Following valid tokens
2640
s = duration # String left to parse
2641
# Loop until end token is found
2642
while found_token is not token_end:
2643
# Search for any currently valid tokens
2644
for token in followers:
2645
match = token.regexp.match(s)
2646
if match is not None:
2647
# Token found
2648
if token.value is not None:
2649
# Value found, parse digits
2650
factor = int(match.group(1), 10)
2651
# Add to value so far
2652
value += factor * token.value
2653
# Strip token from string
2654
s = token.regexp.sub("", s, 1)
2655
# Go to found token
2656
found_token = token
2657
# Set valid next tokens
2658
followers = found_token.followers
2659
break
2660
else:
2661
# No currently valid tokens were found
2662
raise ValueError("Invalid RFC 3339 duration: {!r}"
2663
.format(duration))
2664
# End token found
2665
return value
2666
2667
1811
2668
def string_to_delta(interval):
1812
2669
"""Parse a string and return a datetime.timedelta
1813
2670
1824
2681
>>> string_to_delta('5m 30s')
1825
2682
datetime.timedelta(0, 330)
1826
2683
"""
2684
2685
try:
2686
return rfc3339_duration_to_delta(interval)
2687
except ValueError:
2688
pass
2689
1827
2690
timevalue = datetime.timedelta(0)
1828
2691
for s in interval.split():
1829
2692
try:
1830
suffix = unicode(s[-1])
2693
suffix = s[-1]
1831
2694
value = int(s[:-1])
1832
2695
if suffix == "d":
1833
2696
delta = datetime.timedelta(value)
1840
2703
elif suffix == "w":
1841
2704
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
1842
2705
else:
1843
raise ValueError("Unknown suffix %r" % suffix)
1844
except (ValueError, IndexError) as e:
2706
raise ValueError("Unknown suffix {!r}".format(suffix))
2707
except IndexError as e:
1845
2708
raise ValueError(*(e.args))
1846
2709
timevalue += delta
1847
2710
return timevalue
1848
2711
1849
2712
1850
def if_nametoindex(interface):
1851
"""Call the C function if_nametoindex(), or equivalent
1852
1853
Note: This function cannot accept a unicode string."""
1854
global if_nametoindex
1855
try:
1856
if_nametoindex = (ctypes.cdll.LoadLibrary
1857
(ctypes.util.find_library("c"))
1858
.if_nametoindex)
1859
except (OSError, AttributeError):
1860
logger.warning("Doing if_nametoindex the hard way")
1861
def if_nametoindex(interface):
1862
"Get an interface index the hard way, i.e. using fcntl()"
1863
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
1864
with contextlib.closing(socket.socket()) as s:
1865
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
1866
struct.pack(str("16s16x"),
1867
interface))
1868
interface_index = struct.unpack(str("I"),
1869
ifreq[16:20])[0]
1870
return interface_index
1871
return if_nametoindex(interface)
1872
1873
1874
2713
def daemon(nochdir = False, noclose = False):
1875
2714
"""See daemon(3). Standard BSD Unix function.
1876
2715
1884
2723
sys.exit()
1885
2724
if not noclose:
1886
2725
# Close all standard open file descriptors
1887
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2726
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
1888
2727
if not stat.S_ISCHR(os.fstat(null).st_mode):
1889
2728
raise OSError(errno.ENODEV,
1890
"%s not a character device"
1891
% os.path.devnull)
2729
"{} not a character device"
2730
.format(os.devnull))
1892
2731
os.dup2(null, sys.stdin.fileno())
1893
2732
os.dup2(null, sys.stdout.fileno())
1894
2733
os.dup2(null, sys.stderr.fileno())
1903
2742
1904
2743
parser = argparse.ArgumentParser()
1905
2744
parser.add_argument("-v", "--version", action="version",
1906
version = "%%(prog)s %s" % version,
2745
version = "%(prog)s {}".format(version),
1907
2746
help="show version number and exit")
1908
2747
parser.add_argument("-i", "--interface", metavar="IF",
1909
2748
help="Bind to interface IF")
1915
2754
help="Run self-test")
1916
2755
parser.add_argument("--debug", action="store_true",
1917
2756
help="Debug mode; run in foreground and log"
1918
" to terminal")
2757
" to terminal", default=None)
1919
2758
parser.add_argument("--debuglevel", metavar="LEVEL",
1920
2759
help="Debug level for stdout output")
1921
2760
parser.add_argument("--priority", help="GnuTLS"
1928
2767
" files")
1929
2768
parser.add_argument("--no-dbus", action="store_false",
1930
2769
dest="use_dbus", help="Do not provide D-Bus"
1931
" system bus interface")
2770
" system bus interface", default=None)
1932
2771
parser.add_argument("--no-ipv6", action="store_false",
1933
dest="use_ipv6", help="Do not use IPv6")
2772
dest="use_ipv6", help="Do not use IPv6",
2773
default=None)
1934
2774
parser.add_argument("--no-restore", action="store_false",
1935
dest="restore",
1936
help="Do not restore stored state",
1937
default=True)
1938
2775
dest="restore", help="Do not restore stored"
2776
" state", default=None)
2777
parser.add_argument("--socket", type=int,
2778
help="Specify a file descriptor to a network"
2779
" socket to use instead of creating one")
2780
parser.add_argument("--statedir", metavar="DIR",
2781
help="Directory to save/restore state in")
2782
parser.add_argument("--foreground", action="store_true",
2783
help="Run in foreground", default=None)
2784
parser.add_argument("--no-zeroconf", action="store_false",
2785
dest="zeroconf", help="Do not use Zeroconf",
2786
default=None)
2787
1939
2788
options = parser.parse_args()
1940
2789
1941
2790
if options.check:
1942
2791
import doctest
1943
doctest.testmod()
1944
sys.exit()
2792
fail_count, test_count = doctest.testmod()
2793
sys.exit(os.EX_OK if fail_count == 0 else 1)
1945
2794
1946
2795
# Default values for config file for server-global settings
1947
2796
server_defaults = { "interface": "",
1949
2798
"port": "",
1950
2799
"debug": "False",
1951
2800
"priority":
1952
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP",
2801
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2802
":+SIGN-DSA-SHA256",
1953
2803
"servicename": "Mandos",
1954
2804
"use_dbus": "True",
1955
2805
"use_ipv6": "True",
1956
2806
"debuglevel": "",
1957
}
2807
"restore": "True",
2808
"socket": "",
2809
"statedir": "/var/lib/mandos",
2810
"foreground": "False",
2811
"zeroconf": "True",
2812
}
1958
2813
1959
2814
# Parse config file for server-global settings
1960
2815
server_config = configparser.SafeConfigParser(server_defaults)
1961
2816
del server_defaults
1962
server_config.read(os.path.join(options.configdir,
1963
"mandos.conf"))
2817
server_config.read(os.path.join(options.configdir, "mandos.conf"))
1964
2818
# Convert the SafeConfigParser object to a dict
1965
2819
server_settings = server_config.defaults()
1966
2820
# Use the appropriate methods on the non-string config options
1967
for option in ("debug", "use_dbus", "use_ipv6"):
2821
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
1968
2822
server_settings[option] = server_config.getboolean("DEFAULT",
1969
2823
option)
1970
2824
if server_settings["port"]:
1971
2825
server_settings["port"] = server_config.getint("DEFAULT",
1972
2826
"port")
2827
if server_settings["socket"]:
2828
server_settings["socket"] = server_config.getint("DEFAULT",
2829
"socket")
2830
# Later, stdin will, and stdout and stderr might, be dup'ed
2831
# over with an opened os.devnull. But we don't want this to
2832
# happen with a supplied network socket.
2833
if 0 <= server_settings["socket"] <= 2:
2834
server_settings["socket"] = os.dup(server_settings
2835
["socket"])
1973
2836
del server_config
1974
2837
1975
2838
# Override the settings from the config file with command line
1976
2839
# options, if set.
1977
2840
for option in ("interface", "address", "port", "debug",
1978
"priority", "servicename", "configdir",
1979
"use_dbus", "use_ipv6", "debuglevel", "restore"):
2841
"priority", "servicename", "configdir", "use_dbus",
2842
"use_ipv6", "debuglevel", "restore", "statedir",
2843
"socket", "foreground", "zeroconf"):
1980
2844
value = getattr(options, option)
1981
2845
if value is not None:
1982
2846
server_settings[option] = value
1983
2847
del options
1984
2848
# Force all strings to be unicode
1985
2849
for option in server_settings.keys():
1986
if type(server_settings[option]) is str:
1987
server_settings[option] = unicode(server_settings[option])
2850
if isinstance(server_settings[option], bytes):
2851
server_settings[option] = (server_settings[option]
2852
.decode("utf-8"))
2853
# Force all boolean options to be boolean
2854
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2855
"foreground", "zeroconf"):
2856
server_settings[option] = bool(server_settings[option])
2857
# Debug implies foreground
2858
if server_settings["debug"]:
2859
server_settings["foreground"] = True
1988
2860
# Now we have our good server settings in "server_settings"
1989
2861
1990
2862
##################################################################
1991
2863
2864
if (not server_settings["zeroconf"]
2865
and not (server_settings["port"]
2866
or server_settings["socket"] != "")):
2867
parser.error("Needs port or socket to work without Zeroconf")
2868
1992
2869
# For convenience
1993
2870
debug = server_settings["debug"]
1994
2871
debuglevel = server_settings["debuglevel"]
1995
2872
use_dbus = server_settings["use_dbus"]
1996
2873
use_ipv6 = server_settings["use_ipv6"]
2874
stored_state_path = os.path.join(server_settings["statedir"],
2875
stored_state_file)
2876
foreground = server_settings["foreground"]
2877
zeroconf = server_settings["zeroconf"]
2878
2879
if debug:
2880
initlogger(debug, logging.DEBUG)
2881
else:
2882
if not debuglevel:
2883
initlogger(debug)
2884
else:
2885
level = getattr(logging, debuglevel.upper())
2886
initlogger(debug, level)
1997
2887
1998
2888
if server_settings["servicename"] != "Mandos":
1999
syslogger.setFormatter(logging.Formatter
2000
('Mandos (%s) [%%(process)d]:'
2001
' %%(levelname)s: %%(message)s'
2002
% server_settings["servicename"]))
2889
syslogger.setFormatter(
2890
logging.Formatter('Mandos ({}) [%(process)d]:'
2891
' %(levelname)s: %(message)s'.format(
2892
server_settings["servicename"])))
2003
2893
2004
2894
# Parse config file with clients
2005
client_defaults = { "timeout": "5m",
2006
"extended_timeout": "15m",
2007
"interval": "2m",
2008
"checker": "fping -q -- %%(host)s",
2009
"host": "",
2010
"approval_delay": "0s",
2011
"approval_duration": "1s",
2012
}
2013
client_config = configparser.SafeConfigParser(client_defaults)
2895
client_config = configparser.SafeConfigParser(Client
2896
.client_defaults)
2014
2897
client_config.read(os.path.join(server_settings["configdir"],
2015
2898
"clients.conf"))
2016
2899
2017
2900
global mandos_dbus_service
2018
2901
mandos_dbus_service = None
2019
2902
2020
tcp_server = MandosServer((server_settings["address"],
2021
server_settings["port"]),
2022
ClientHandler,
2023
interface=(server_settings["interface"]
2024
or None),
2025
use_ipv6=use_ipv6,
2026
gnutls_priority=
2027
server_settings["priority"],
2028
use_dbus=use_dbus)
2029
if not debug:
2030
pidfilename = "/var/run/mandos.pid"
2903
socketfd = None
2904
if server_settings["socket"] != "":
2905
socketfd = server_settings["socket"]
2906
tcp_server = MandosServer(
2907
(server_settings["address"], server_settings["port"]),
2908
ClientHandler,
2909
interface=(server_settings["interface"] or None),
2910
use_ipv6=use_ipv6,
2911
gnutls_priority=server_settings["priority"],
2912
use_dbus=use_dbus,
2913
socketfd=socketfd)
2914
if not foreground:
2915
pidfilename = "/run/mandos.pid"
2916
if not os.path.isdir("/run/."):
2917
pidfilename = "/var/run/mandos.pid"
2918
pidfile = None
2031
2919
try:
2032
pidfile = open(pidfilename, "w")
2033
except IOError:
2034
logger.error("Could not open file %r", pidfilename)
2920
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2921
except IOError as e:
2922
logger.error("Could not open file %r", pidfilename,
2923
exc_info=e)
2035
2924
2036
try:
2037
uid = pwd.getpwnam("_mandos").pw_uid
2038
gid = pwd.getpwnam("_mandos").pw_gid
2039
except KeyError:
2925
for name, group in (("_mandos", "_mandos"),
2926
("mandos", "mandos"),
2927
("nobody", "nogroup")):
2040
2928
try:
2041
uid = pwd.getpwnam("mandos").pw_uid
2042
gid = pwd.getpwnam("mandos").pw_gid
2929
uid = pwd.getpwnam(name).pw_uid
2930
gid = pwd.getpwnam(group).pw_gid
2931
break
2043
2932
except KeyError:
2044
try:
2045
uid = pwd.getpwnam("nobody").pw_uid
2046
gid = pwd.getpwnam("nobody").pw_gid
2047
except KeyError:
2048
uid = 65534
2049
gid = 65534
2933
continue
2934
else:
2935
uid = 65534
2936
gid = 65534
2050
2937
try:
2051
2938
os.setgid(gid)
2052
2939
os.setuid(uid)
2940
if debug:
2941
logger.debug("Did setuid/setgid to {}:{}".format(uid,
2942
gid))
2053
2943
except OSError as error:
2054
if error[0] != errno.EPERM:
2055
raise error
2056
2057
if not debug and not debuglevel:
2058
logger.setLevel(logging.WARNING)
2059
if debuglevel:
2060
level = getattr(logging, debuglevel.upper())
2061
logger.setLevel(level)
2944
logger.warning("Failed to setuid/setgid to {}:{}: {}"
2945
.format(uid, gid, os.strerror(error.errno)))
2946
if error.errno != errno.EPERM:
2947
raise
2062
2948
2063
2949
if debug:
2064
logger.setLevel(logging.DEBUG)
2065
2950
# Enable all possible GnuTLS debugging
2066
2951
2067
2952
# "Use a log level over 10 to enable all debugging options."
2068
2953
# - GnuTLS manual
2069
gnutls.library.functions.gnutls_global_set_log_level(11)
2954
gnutls.global_set_log_level(11)
2070
2955
2071
@gnutls.library.types.gnutls_log_func
2956
@gnutls.log_func
2072
2957
def debug_gnutls(level, string):
2073
2958
logger.debug("GnuTLS: %s", string[:-1])
2074
2959
2075
(gnutls.library.functions
2076
.gnutls_global_set_log_function(debug_gnutls))
2960
gnutls.global_set_log_function(debug_gnutls)
2077
2961
2078
2962
# Redirect stdin so all checkers get /dev/null
2079
null = os.open(os.path.devnull, os.O_NOCTTY | os.O_RDWR)
2963
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2080
2964
os.dup2(null, sys.stdin.fileno())
2081
2965
if null > 2:
2082
2966
os.close(null)
2083
else:
2084
# No console logging
2085
logger.removeHandler(console)
2086
2967
2087
2968
# Need to fork before connecting to D-Bus
2088
if not debug:
2969
if not foreground:
2089
2970
# Close all input and output, do double fork, etc.
2090
2971
daemon()
2091
2972
2973
# multiprocessing will use threads, so before we use GObject we
2974
# need to inform GObject that threads will be used.
2975
GObject.threads_init()
2976
2092
2977
global main_loop
2093
2978
# From the Avahi example code
2094
DBusGMainLoop(set_as_default=True )
2095
main_loop = gobject.MainLoop()
2979
DBusGMainLoop(set_as_default=True)
2980
main_loop = GObject.MainLoop()
2096
2981
bus = dbus.SystemBus()
2097
2982
# End of Avahi example code
2098
2983
if use_dbus:
2099
2984
try:
2100
2985
bus_name = dbus.service.BusName("se.recompile.Mandos",
2101
bus, do_not_queue=True)
2102
old_bus_name = (dbus.service.BusName
2103
("se.bsnet.fukt.Mandos", bus,
2104
do_not_queue=True))
2105
except dbus.exceptions.NameExistsException as e:
2106
logger.error(unicode(e) + ", disabling D-Bus")
2986
bus,
2987
do_not_queue=True)
2988
old_bus_name = dbus.service.BusName(
2989
"se.bsnet.fukt.Mandos", bus,
2990
do_not_queue=True)
2991
except dbus.exceptions.DBusException as e:
2992
logger.error("Disabling D-Bus:", exc_info=e)
2107
2993
use_dbus = False
2108
2994
server_settings["use_dbus"] = False
2109
2995
tcp_server.use_dbus = False
2110
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2111
service = AvahiServiceToSyslog(name =
2112
server_settings["servicename"],
2113
servicetype = "_mandos._tcp",
2114
protocol = protocol, bus = bus)
2115
if server_settings["interface"]:
2116
service.interface = (if_nametoindex
2117
(str(server_settings["interface"])))
2996
if zeroconf:
2997
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2998
service = AvahiServiceToSyslog(
2999
name = server_settings["servicename"],
3000
servicetype = "_mandos._tcp",
3001
protocol = protocol,
3002
bus = bus)
3003
if server_settings["interface"]:
3004
service.interface = if_nametoindex(
3005
server_settings["interface"].encode("utf-8"))
2118
3006
2119
3007
global multiprocessing_manager
2120
3008
multiprocessing_manager = multiprocessing.Manager()
2121
3009
2122
3010
client_class = Client
2123
3011
if use_dbus:
2124
client_class = functools.partial(ClientDBusTransitional,
2125
bus = bus)
2126
2127
special_settings = {
2128
# Some settings need to be accessd by special methods;
2129
# booleans need .getboolean(), etc. Here is a list of them:
2130
"approved_by_default":
2131
lambda section:
2132
client_config.getboolean(section, "approved_by_default"),
2133
}
2134
# Construct a new dict of client settings of this form:
2135
# { client_name: {setting_name: value, ...}, ...}
2136
# with exceptions for any special settings as defined above
2137
client_settings = dict((clientname,
2138
dict((setting,
2139
(value if
2140
setting not in special_settings
2141
else special_settings[setting]
2142
(clientname)))
2143
for setting, value
2144
in client_config.items(clientname)))
2145
for clientname in client_config.sections())
2146
3012
client_class = functools.partial(ClientDBus, bus = bus)
3013
3014
client_settings = Client.config_parser(client_config)
2147
3015
old_client_settings = {}
2148
clients_data = []
2149
2150
# Get client data and settings from last running state.
3016
clients_data = {}
3017
3018
# This is used to redirect stdout and stderr for checker processes
3019
global wnull
3020
wnull = open(os.devnull, "w") # A writable /dev/null
3021
# Only used if server is running in foreground but not in debug
3022
# mode
3023
if debug or not foreground:
3024
wnull.close()
3025
3026
# Get client data and settings from last running state.
2151
3027
if server_settings["restore"]:
2152
3028
try:
2153
3029
with open(stored_state_path, "rb") as stored_state:
2154
clients_data, old_client_settings = (
2155
pickle.load(stored_state))
3030
clients_data, old_client_settings = pickle.load(
3031
stored_state)
2156
3032
os.remove(stored_state_path)
2157
3033
except IOError as e:
2158
logger.warning("Could not load persistant state: {0}"
2159
.format(e))
2160
if e.errno != errno.ENOENT:
3034
if e.errno == errno.ENOENT:
3035
logger.warning("Could not load persistent state:"
3036
" {}".format(os.strerror(e.errno)))
3037
else:
3038
logger.critical("Could not load persistent state:",
3039
exc_info=e)
2161
3040
raise
2162
2163
for client in clients_data:
2164
client_name = client["name"]
2165
2166
# Decide which value to use after restoring saved state.
2167
# We have three different values: Old config file,
2168
# new config file, and saved state.
2169
# New config value takes precedence if it differs from old
2170
# config value, otherwise use saved state.
2171
for name, value in client_settings[client_name].items():
3041
except EOFError as e:
3042
logger.warning("Could not load persistent state: "
3043
"EOFError:",
3044
exc_info=e)
3045
3046
with PGPEngine() as pgp:
3047
for client_name, client in clients_data.items():
3048
# Skip removed clients
3049
if client_name not in client_settings:
3050
continue
3051
3052
# Decide which value to use after restoring saved state.
3053
# We have three different values: Old config file,
3054
# new config file, and saved state.
3055
# New config value takes precedence if it differs from old
3056
# config value, otherwise use saved state.
3057
for name, value in client_settings[client_name].items():
3058
try:
3059
# For each value in new config, check if it
3060
# differs from the old config value (Except for
3061
# the "secret" attribute)
3062
if (name != "secret"
3063
and (value !=
3064
old_client_settings[client_name][name])):
3065
client[name] = value
3066
except KeyError:
3067
pass
3068
3069
# Clients who has passed its expire date can still be
3070
# enabled if its last checker was successful. A Client
3071
# whose checker succeeded before we stored its state is
3072
# assumed to have successfully run all checkers during
3073
# downtime.
3074
if client["enabled"]:
3075
if datetime.datetime.utcnow() >= client["expires"]:
3076
if not client["last_checked_ok"]:
3077
logger.warning(
3078
"disabling client {} - Client never "
3079
"performed a successful checker".format(
3080
client_name))
3081
client["enabled"] = False
3082
elif client["last_checker_status"] != 0:
3083
logger.warning(
3084
"disabling client {} - Client last"
3085
" checker failed with error code"
3086
" {}".format(
3087
client_name,
3088
client["last_checker_status"]))
3089
client["enabled"] = False
3090
else:
3091
client["expires"] = (
3092
datetime.datetime.utcnow()
3093
+ client["timeout"])
3094
logger.debug("Last checker succeeded,"
3095
" keeping {} enabled".format(
3096
client_name))
2172
3097
try:
2173
# For each value in new config, check if it differs
2174
# from the old config value (Except for the "secret"
2175
# attribute)
2176
if (name != "secret" and
2177
value != old_client_settings[client_name][name]):
2178
setattr(client, name, value)
2179
except KeyError:
2180
pass
2181
2182
# Clients who has passed its expire date, can still be enabled
2183
# if its last checker was sucessful. Clients who checkers
2184
# failed before we stored it state is asumed to had failed
2185
# checker during downtime.
2186
if client["enabled"] and client["last_checked_ok"]:
2187
if ((datetime.datetime.utcnow()
2188
- client["last_checked_ok"]) > client["interval"]):
2189
if client["last_checker_status"] != 0:
2190
client["enabled"] = False
2191
else:
2192
client["expires"] = (datetime.datetime.utcnow()
2193
+ client["timeout"])
2194
2195
client["changedstate"] = (multiprocessing_manager
2196
.Condition(multiprocessing_manager
2197
.Lock()))
2198
if use_dbus:
2199
new_client = ClientDBusTransitional.__new__(
2200
ClientDBusTransitional)
2201
tcp_server.clients[client_name] = new_client
2202
new_client.bus = bus
2203
for name, value in client.iteritems():
2204
setattr(new_client, name, value)
2205
new_client._approvals_pending = 0
2206
new_client.add_to_dbus()
2207
else:
2208
tcp_server.clients[client_name] = Client.__new__(Client)
2209
for name, value in client.iteritems():
2210
setattr(tcp_server.clients[client_name], name, value)
2211
2212
tcp_server.clients[client_name].decrypt_secret(
2213
client_settings[client_name]["secret"])
2214
2215
# Create/remove clients based on new changes made to config
2216
for clientname in set(old_client_settings) - set(client_settings):
2217
del tcp_server.clients[clientname]
2218
for clientname in set(client_settings) - set(old_client_settings):
2219
tcp_server.clients[clientname] = client_class(name
2220
= clientname,
2221
config =
2222
client_settings
2223
[clientname])
3098
client["secret"] = pgp.decrypt(
3099
client["encrypted_secret"],
3100
client_settings[client_name]["secret"])
3101
except PGPError:
3102
# If decryption fails, we use secret from new settings
3103
logger.debug("Failed to decrypt {} old secret".format(
3104
client_name))
3105
client["secret"] = (client_settings[client_name]
3106
["secret"])
3107
3108
# Add/remove clients based on new changes made to config
3109
for client_name in (set(old_client_settings)
3110
- set(client_settings)):
3111
del clients_data[client_name]
3112
for client_name in (set(client_settings)
3113
- set(old_client_settings)):
3114
clients_data[client_name] = client_settings[client_name]
3115
3116
# Create all client objects
3117
for client_name, client in clients_data.items():
3118
tcp_server.clients[client_name] = client_class(
3119
name = client_name,
3120
settings = client,
3121
server_settings = server_settings)
2224
3122
2225
3123
if not tcp_server.clients:
2226
3124
logger.warning("No clients defined")
2227
2228
if not debug:
2229
try:
2230
with pidfile:
2231
pid = os.getpid()
2232
pidfile.write(str(pid) + "\n".encode("utf-8"))
2233
del pidfile
2234
except IOError:
2235
logger.error("Could not write to file %r with PID %d",
2236
pidfilename, pid)
2237
except NameError:
2238
# "pidfile" was never created
2239
pass
3125
3126
if not foreground:
3127
if pidfile is not None:
3128
pid = os.getpid()
3129
try:
3130
with pidfile:
3131
print(pid, file=pidfile)
3132
except IOError:
3133
logger.error("Could not write to file %r with PID %d",
3134
pidfilename, pid)
3135
del pidfile
2240
3136
del pidfilename
2241
2242
signal.signal(signal.SIGINT, signal.SIG_IGN)
2243
3137
2244
3138
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2245
3139
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2246
3140
2247
3141
if use_dbus:
2248
class MandosDBusService(dbus.service.Object):
3142
3143
@alternate_dbus_interfaces(
3144
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3145
class MandosDBusService(DBusObjectWithObjectManager):
2249
3146
"""A D-Bus proxy object"""
3147
2250
3148
def __init__(self):
2251
3149
dbus.service.Object.__init__(self, bus, "/")
3150
2252
3151
_interface = "se.recompile.Mandos"
2253
3152
2254
3153
@dbus.service.signal(_interface, signature="o")
2261
3160
"D-Bus signal"
2262
3161
pass
2263
3162
3163
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3164
"true"})
2264
3165
@dbus.service.signal(_interface, signature="os")
2265
3166
def ClientRemoved(self, objpath, name):
2266
3167
"D-Bus signal"
2267
3168
pass
2268
3169
3170
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3171
"true"})
2269
3172
@dbus.service.method(_interface, out_signature="ao")
2270
3173
def GetAllClients(self):
2271
3174
"D-Bus method"
2272
return dbus.Array(c.dbus_object_path
2273
for c in
3175
return dbus.Array(c.dbus_object_path for c in
2274
3176
tcp_server.clients.itervalues())
2275
3177
3178
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3179
"true"})
2276
3180
@dbus.service.method(_interface,
2277
3181
out_signature="a{oa{sv}}")
2278
3182
def GetAllClientsWithProperties(self):
2279
3183
"D-Bus method"
2280
3184
return dbus.Dictionary(
2281
((c.dbus_object_path, c.GetAll(""))
2282
for c in tcp_server.clients.itervalues()),
3185
{ c.dbus_object_path: c.GetAll(
3186
"se.recompile.Mandos.Client")
3187
for c in tcp_server.clients.itervalues() },
2283
3188
signature="oa{sv}")
2284
3189
2285
3190
@dbus.service.method(_interface, in_signature="o")
2289
3194
if c.dbus_object_path == object_path:
2290
3195
del tcp_server.clients[c.name]
2291
3196
c.remove_from_connection()
2292
# Don't signal anything except ClientRemoved
3197
# Don't signal the disabling
2293
3198
c.disable(quiet=True)
2294
# Emit D-Bus signal
2295
self.ClientRemoved(object_path, c.name)
3199
# Emit D-Bus signal for removal
3200
self.client_removed_signal(c)
2296
3201
return
2297
3202
raise KeyError(object_path)
2298
3203
2299
3204
del _interface
3205
3206
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3207
out_signature = "a{oa{sa{sv}}}")
3208
def GetManagedObjects(self):
3209
"""D-Bus method"""
3210
return dbus.Dictionary(
3211
{ client.dbus_object_path:
3212
dbus.Dictionary(
3213
{ interface: client.GetAll(interface)
3214
for interface in
3215
client._get_all_interface_names()})
3216
for client in tcp_server.clients.values()})
3217
3218
def client_added_signal(self, client):
3219
"""Send the new standard signal and the old signal"""
3220
if use_dbus:
3221
# New standard signal
3222
self.InterfacesAdded(
3223
client.dbus_object_path,
3224
dbus.Dictionary(
3225
{ interface: client.GetAll(interface)
3226
for interface in
3227
client._get_all_interface_names()}))
3228
# Old signal
3229
self.ClientAdded(client.dbus_object_path)
3230
3231
def client_removed_signal(self, client):
3232
"""Send the new standard signal and the old signal"""
3233
if use_dbus:
3234
# New standard signal
3235
self.InterfacesRemoved(
3236
client.dbus_object_path,
3237
client._get_all_interface_names())
3238
# Old signal
3239
self.ClientRemoved(client.dbus_object_path,
3240
client.name)
2300
3241
2301
class MandosDBusServiceTransitional(MandosDBusService):
2302
__metaclass__ = AlternateDBusNamesMetaclass
2303
mandos_dbus_service = MandosDBusServiceTransitional()
3242
mandos_dbus_service = MandosDBusService()
2304
3243
2305
3244
def cleanup():
2306
3245
"Cleanup function; run on exit"
2307
service.cleanup()
3246
if zeroconf:
3247
service.cleanup()
2308
3248
2309
3249
multiprocessing.active_children()
3250
wnull.close()
2310
3251
if not (tcp_server.clients or client_settings):
2311
3252
return
2312
3253
2313
3254
# Store client before exiting. Secrets are encrypted with key
2314
3255
# based on what config file has. If config file is
2315
3256
# removed/edited, old secret will thus be unrecovable.
2316
clients = []
2317
for client in tcp_server.clients.itervalues():
2318
client.encrypt_secret(
2319
client_settings[client.name]["secret"])
2320
2321
client_dict = {}
2322
2323
# A list of attributes that will not be stored when
2324
# shutting down.
2325
exclude = set(("bus", "changedstate", "secret"))
2326
for name, typ in inspect.getmembers(dbus.service.Object):
2327
exclude.add(name)
2328
2329
client_dict["encrypted_secret"] = client.encrypted_secret
2330
for attr in client.client_structure:
2331
if attr not in exclude:
2332
client_dict[attr] = getattr(client, attr)
2333
2334
clients.append(client_dict)
2335
del client_settings[client.name]["secret"]
2336
3257
clients = {}
3258
with PGPEngine() as pgp:
3259
for client in tcp_server.clients.itervalues():
3260
key = client_settings[client.name]["secret"]
3261
client.encrypted_secret = pgp.encrypt(client.secret,
3262
key)
3263
client_dict = {}
3264
3265
# A list of attributes that can not be pickled
3266
# + secret.
3267
exclude = { "bus", "changedstate", "secret",
3268
"checker", "server_settings" }
3269
for name, typ in inspect.getmembers(dbus.service
3270
.Object):
3271
exclude.add(name)
3272
3273
client_dict["encrypted_secret"] = (client
3274
.encrypted_secret)
3275
for attr in client.client_structure:
3276
if attr not in exclude:
3277
client_dict[attr] = getattr(client, attr)
3278
3279
clients[client.name] = client_dict
3280
del client_settings[client.name]["secret"]
3281
2337
3282
try:
2338
with os.fdopen(os.open(stored_state_path,
2339
os.O_CREAT|os.O_WRONLY|os.O_TRUNC,
2340
stat.S_IRUSR | stat.S_IWUSR),
2341
"wb") as stored_state:
3283
with tempfile.NamedTemporaryFile(
3284
mode='wb',
3285
suffix=".pickle",
3286
prefix='clients-',
3287
dir=os.path.dirname(stored_state_path),
3288
delete=False) as stored_state:
2342
3289
pickle.dump((clients, client_settings), stored_state)
2343
except IOError as e:
2344
logger.warning("Could not save persistant state: {0}"
2345
.format(e))
2346
if e.errno != errno.ENOENT:
3290
tempname = stored_state.name
3291
os.rename(tempname, stored_state_path)
3292
except (IOError, OSError) as e:
3293
if not debug:
3294
try:
3295
os.remove(tempname)
3296
except NameError:
3297
pass
3298
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
3299
logger.warning("Could not save persistent state: {}"
3300
.format(os.strerror(e.errno)))
3301
else:
3302
logger.warning("Could not save persistent state:",
3303
exc_info=e)
2347
3304
raise
2348
3305
2349
3306
# Delete all clients, and settings from config
2350
3307
while tcp_server.clients:
2351
3308
name, client = tcp_server.clients.popitem()
2352
3309
if use_dbus:
2353
3310
client.remove_from_connection()
2354
# Don't signal anything except ClientRemoved
3311
# Don't signal the disabling
2355
3312
client.disable(quiet=True)
3313
# Emit D-Bus signal for removal
2356
3314
if use_dbus:
2357
# Emit D-Bus signal
2358
mandos_dbus_service.ClientRemoved(client
2359
.dbus_object_path,
2360
client.name)
3315
mandos_dbus_service.client_removed_signal(client)
2361
3316
client_settings.clear()
2362
3317
2363
3318
atexit.register(cleanup)
2364
3319
2365
3320
for client in tcp_server.clients.itervalues():
2366
3321
if use_dbus:
2367
# Emit D-Bus signal
2368
mandos_dbus_service.ClientAdded(client.dbus_object_path)
3322
# Emit D-Bus signal for adding
3323
mandos_dbus_service.client_added_signal(client)
2369
3324
# Need to initiate checking of clients
2370
3325
if client.enabled:
2371
3326
client.init_checker()
2372
2373
3327
2374
3328
tcp_server.enable()
2375
3329
tcp_server.server_activate()
2376
3330
2377
3331
# Find out what port we got
2378
service.port = tcp_server.socket.getsockname()[1]
3332
if zeroconf:
3333
service.port = tcp_server.socket.getsockname()[1]
2379
3334
if use_ipv6:
2380
3335
logger.info("Now listening on address %r, port %d,"
2381
" flowinfo %d, scope_id %d"
2382
% tcp_server.socket.getsockname())
3336
" flowinfo %d, scope_id %d",
3337
*tcp_server.socket.getsockname())
2383
3338
else: # IPv4
2384
logger.info("Now listening on address %r, port %d"
2385
% tcp_server.socket.getsockname())
3339
logger.info("Now listening on address %r, port %d",
3340
*tcp_server.socket.getsockname())
2386
3341
2387
3342
#service.interface = tcp_server.socket.getsockname()[3]
2388
3343
2389
3344
try:
2390
# From the Avahi example code
2391
try:
2392
service.activate()
2393
except dbus.exceptions.DBusException as error:
2394
logger.critical("DBusException: %s", error)
2395
cleanup()
2396
sys.exit(1)
2397
# End of Avahi example code
3345
if zeroconf:
3346
# From the Avahi example code
3347
try:
3348
service.activate()
3349
except dbus.exceptions.DBusException as error:
3350
logger.critical("D-Bus Exception", exc_info=error)
3351
cleanup()
3352
sys.exit(1)
3353
# End of Avahi example code
2398
3354
2399
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3355
GObject.io_add_watch(tcp_server.fileno(), GObject.IO_IN,
2400
3356
lambda *args, **kwargs:
2401
3357
(tcp_server.handle_request
2402
3358
(*args[2:], **kwargs) or True))
2404
3360
logger.debug("Starting main loop")
2405
3361
main_loop.run()
2406
3362
except AvahiError as error:
2407
logger.critical("AvahiError: %s", error)
3363
logger.critical("Avahi Error", exc_info=error)
2408
3364
cleanup()
2409
3365
sys.exit(1)
2410
3366
except KeyboardInterrupt:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0