To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 828
- compare with another revision
- download diff
- download tarball
- view history from revision 828
- Committer: Teddy Hogeborn
- Date: 2016-03-09 21:23:21 UTC
- Revision ID: teddy@recompile.se-20160309212321-2qlkzj9tecepc8xq
Server: Add Python 3 compatibility
Add Python 3 compatibility by not using the python-avahi module. Also
fix miscellaneous things which differs in Python 3. Especially hard
to fix is loading and saving clients data between Python 3 and 2,
since pickle formats have problems with strings.
* INSTALL: Remove python-avahi (and change python-gobject to
python-gi, which is preferred now).
* debian/control (Source: mandos/Build-Depends-Indep): Remove
"python-avahi".
* mandos: Wrap future_builtins import in try-except clause. Do not
import avahi module. Use codecs.decode(..., "base64) instead of
.decode("base64). Use .keys(), .values(), and .items() instead of
.iterkeys(), .itervalues(), and .iteritems().
(alternate_dbus_interfaces/wrapper): Python 3 still requires the
"black magic", but luckily it still works. The Python 3 type()
constructor requires first argument to be a string, not a byte
string.
(copy_function): New. Use throughout.
(Avahi, avahi): New class and global variable.
(GnuTLS._need_version): Changed to be a byte string.
(main): Decode byte strings loaded from pickle file.
(main/cleanup): Dump using pickle prototoc 2 which Python 2 can
read.
Add Python 3 compatibility by not using the python-avahi module. Also
fix miscellaneous things which differs in Python 3. Especially hard
to fix is loading and saving clients data between Python 3 and 2,
since pickle formats have problems with strings.
* INSTALL: Remove python-avahi (and change python-gobject to
python-gi, which is preferred now).
* debian/control (Source: mandos/Build-Depends-Indep): Remove
"python-avahi".
* mandos: Wrap future_builtins import in try-except clause. Do not
import avahi module. Use codecs.decode(..., "base64) instead of
.decode("base64). Use .keys(), .values(), and .items() instead of
.iterkeys(), .itervalues(), and .iteritems().
(alternate_dbus_interfaces/wrapper): Python 3 still requires the
"black magic", but luckily it still works. The Python 3 type()
constructor requires first argument to be a string, not a byte
string.
(copy_function): New. Use throughout.
(Avahi, avahi): New class and global variable.
(GnuTLS._need_version): Changed to be a byte string.
(main): Decode byte strings loaded from pickle file.
(main/cleanup): Dump using pickle prototoc 2 which Python 2 can
read.
- files added:
- initramfs-tools-hook-conf
- files removed:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- mode: python; after-save-hook: (lambda () (let ((command (if (fboundp 'file-local-name) (file-local-name (buffer-file-name)) (or (file-remote-p (buffer-file-name) 'localname) (buffer-file-name))))) (if (= (progn (if (get-buffer "*Test*") (kill-buffer "*Test*")) (process-file-shell-command (format "%s --check" (shell-quote-argument command)) nil "*Test*")) 0) (let ((w (get-buffer-window "*Test*"))) (if w (delete-window w))) (progn (with-current-buffer "*Test*" (compilation-mode)) (display-buffer "*Test*" '(display-buffer-in-side-window)))))); coding: utf-8 -*-
3
#
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2019 Teddy Hogeborn
15
# Copyright © 2008-2019 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
77
76
import itertools
78
77
import collections
79
78
import codecs
80
import unittest
81
import random
82
import shlex
83
79
84
80
import dbus
85
81
import dbus.service
86
import gi
87
from gi.repository import GLib
82
try:
83
from gi.repository import GObject
84
except ImportError:
85
import gobject as GObject
88
86
from dbus.mainloop.glib import DBusGMainLoop
89
87
import ctypes
90
88
import ctypes.util
91
89
import xml.dom.minidom
92
90
import inspect
93
91
94
if sys.version_info.major == 2:
95
__metaclass__ = type
96
str = unicode
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
# Try to find the value of SO_BINDTODEVICE:
119
try:
120
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
121
# newer, and it is also the most natural place for it:
92
try:
122
93
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
123
94
except AttributeError:
124
95
try:
125
# This is where SO_BINDTODEVICE was up to and including Python
126
# 2.6, and also 3.2:
127
96
from IN import SO_BINDTODEVICE
128
97
except ImportError:
129
# In Python 2.7 it seems to have been removed entirely.
130
# Try running the C preprocessor:
131
try:
132
cc = subprocess.Popen(["cc", "--language=c", "-E",
133
"/dev/stdin"],
134
stdin=subprocess.PIPE,
135
stdout=subprocess.PIPE)
136
stdout = cc.communicate(
137
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
138
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
139
except (OSError, ValueError, IndexError):
140
# No value found
141
SO_BINDTODEVICE = None
142
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
145
146
version = "1.8.11"
98
SO_BINDTODEVICE = None
99
100
if sys.version_info.major == 2:
101
str = unicode
102
103
version = "1.7.5"
147
104
stored_state_file = "clients.pickle"
148
105
149
106
logger = logging.getLogger()
150
logging.captureWarnings(True) # Show warnings via the logging system
151
107
syslogger = None
152
108
153
109
try:
154
110
if_nametoindex = ctypes.cdll.LoadLibrary(
155
111
ctypes.util.find_library("c")).if_nametoindex
156
112
except (OSError, AttributeError):
157
113
158
114
def if_nametoindex(interface):
159
115
"Get an interface index the hard way, i.e. using fcntl()"
160
116
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
183
139
184
140
def initlogger(debug, level=logging.WARNING):
185
141
"""init logger and add loglevel"""
186
142
187
143
global syslogger
188
144
syslogger = (logging.handlers.SysLogHandler(
189
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
address="/dev/log"))
145
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
146
address = "/dev/log"))
191
147
syslogger.setFormatter(logging.Formatter
192
148
('Mandos [%(process)d]: %(levelname)s:'
193
149
' %(message)s'))
194
150
logger.addHandler(syslogger)
195
151
196
152
if debug:
197
153
console = logging.StreamHandler()
198
154
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
208
164
pass
209
165
210
166
211
class PGPEngine:
167
class PGPEngine(object):
212
168
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
169
214
170
def __init__(self):
215
171
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
216
172
self.gpg = "gpg"
218
174
output = subprocess.check_output(["gpgconf"])
219
175
for line in output.splitlines():
220
176
name, text, path = line.split(b":")
221
if name == b"gpg":
177
if name == "gpg":
222
178
self.gpg = path
223
179
break
224
180
except OSError as e:
227
183
self.gnupgargs = ['--batch',
228
184
'--homedir', self.tempdir,
229
185
'--force-mdc',
230
'--quiet']
231
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
233
self.gnupgargs.append("--no-use-agent")
234
186
'--quiet',
187
'--no-use-agent']
188
235
189
def __enter__(self):
236
190
return self
237
191
238
192
def __exit__(self, exc_type, exc_value, traceback):
239
193
self._cleanup()
240
194
return False
241
195
242
196
def __del__(self):
243
197
self._cleanup()
244
198
245
199
def _cleanup(self):
246
200
if self.tempdir is not None:
247
201
# Delete contents of tempdir
248
202
for root, dirs, files in os.walk(self.tempdir,
249
topdown=False):
203
topdown = False):
250
204
for filename in files:
251
205
os.remove(os.path.join(root, filename))
252
206
for dirname in dirs:
254
208
# Remove tempdir
255
209
os.rmdir(self.tempdir)
256
210
self.tempdir = None
257
211
258
212
def password_encode(self, password):
259
213
# Passphrase can not be empty and can not contain newlines or
260
214
# NUL bytes. So we prefix it and hex encode it.
265
219
.replace(b"\n", b"\\n")
266
220
.replace(b"\0", b"\\x00"))
267
221
return encoded
268
222
269
223
def encrypt(self, data, password):
270
224
passphrase = self.password_encode(password)
271
225
with tempfile.NamedTemporaryFile(
276
230
'--passphrase-file',
277
231
passfile.name]
278
232
+ self.gnupgargs,
279
stdin=subprocess.PIPE,
280
stdout=subprocess.PIPE,
281
stderr=subprocess.PIPE)
282
ciphertext, err = proc.communicate(input=data)
233
stdin = subprocess.PIPE,
234
stdout = subprocess.PIPE,
235
stderr = subprocess.PIPE)
236
ciphertext, err = proc.communicate(input = data)
283
237
if proc.returncode != 0:
284
238
raise PGPError(err)
285
239
return ciphertext
286
240
287
241
def decrypt(self, data, password):
288
242
passphrase = self.password_encode(password)
289
243
with tempfile.NamedTemporaryFile(
290
dir=self.tempdir) as passfile:
244
dir = self.tempdir) as passfile:
291
245
passfile.write(passphrase)
292
246
passfile.flush()
293
247
proc = subprocess.Popen([self.gpg, '--decrypt',
294
248
'--passphrase-file',
295
249
passfile.name]
296
250
+ self.gnupgargs,
297
stdin=subprocess.PIPE,
298
stdout=subprocess.PIPE,
299
stderr=subprocess.PIPE)
300
decrypted_plaintext, err = proc.communicate(input=data)
251
stdin = subprocess.PIPE,
252
stdout = subprocess.PIPE,
253
stderr = subprocess.PIPE)
254
decrypted_plaintext, err = proc.communicate(input = data)
301
255
if proc.returncode != 0:
302
256
raise PGPError(err)
303
257
return decrypted_plaintext
304
258
305
306
259
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
309
IF_UNSPEC = -1 # avahi-common/address.h
310
PROTO_UNSPEC = -1 # avahi-common/address.h
311
PROTO_INET = 0 # avahi-common/address.h
312
PROTO_INET6 = 1 # avahi-common/address.h
260
class Avahi(object):
261
"""This isn't so much a class as it is a module-like namespace.
262
It is instantiated once, and simulates having an Avahi module."""
263
IF_UNSPEC = -1 # avahi-common/address.h
264
PROTO_UNSPEC = -1 # avahi-common/address.h
265
PROTO_INET = 0 # avahi-common/address.h
266
PROTO_INET6 = 1 # avahi-common/address.h
313
267
DBUS_NAME = "org.freedesktop.Avahi"
314
268
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
315
269
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
270
DBUS_PATH_SERVER = "/"
317
318
@staticmethod
319
def string_array_to_txt_array(t):
271
def string_array_to_txt_array(self, t):
320
272
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
273
for s in t), signature="ay")
322
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
323
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
324
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
325
SERVER_INVALID = 0 # avahi-common/defs.h
326
SERVER_REGISTERING = 1 # avahi-common/defs.h
327
SERVER_RUNNING = 2 # avahi-common/defs.h
328
SERVER_COLLISION = 3 # avahi-common/defs.h
329
SERVER_FAILURE = 4 # avahi-common/defs.h
330
274
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
275
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
276
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
277
SERVER_INVALID = 0 # avahi-common/defs.h
278
SERVER_REGISTERING = 1 # avahi-common/defs.h
279
SERVER_RUNNING = 2 # avahi-common/defs.h
280
SERVER_COLLISION = 3 # avahi-common/defs.h
281
SERVER_FAILURE = 4 # avahi-common/defs.h
282
avahi = Avahi()
331
283
332
284
class AvahiError(Exception):
333
285
def __init__(self, value, *args, **kwargs):
344
296
pass
345
297
346
298
347
class AvahiService:
299
class AvahiService(object):
348
300
"""An Avahi (Zeroconf) service.
349
301
350
302
Attributes:
351
303
interface: integer; avahi.IF_UNSPEC or an interface index.
352
304
Used to optionally bind to the specified interface.
364
316
server: D-Bus Server
365
317
bus: dbus.SystemBus()
366
318
"""
367
319
368
320
def __init__(self,
369
interface=avahi.IF_UNSPEC,
370
name=None,
371
servicetype=None,
372
port=None,
373
TXT=None,
374
domain="",
375
host="",
376
max_renames=32768,
377
protocol=avahi.PROTO_UNSPEC,
378
bus=None):
321
interface = avahi.IF_UNSPEC,
322
name = None,
323
servicetype = None,
324
port = None,
325
TXT = None,
326
domain = "",
327
host = "",
328
max_renames = 32768,
329
protocol = avahi.PROTO_UNSPEC,
330
bus = None):
379
331
self.interface = interface
380
332
self.name = name
381
333
self.type = servicetype
390
342
self.server = None
391
343
self.bus = bus
392
344
self.entry_group_state_changed_match = None
393
345
394
346
def rename(self, remove=True):
395
347
"""Derived from the Avahi example code"""
396
348
if self.rename_count >= self.max_renames:
416
368
logger.critical("D-Bus Exception", exc_info=error)
417
369
self.cleanup()
418
370
os._exit(1)
419
371
420
372
def remove(self):
421
373
"""Derived from the Avahi example code"""
422
374
if self.entry_group_state_changed_match is not None:
424
376
self.entry_group_state_changed_match = None
425
377
if self.group is not None:
426
378
self.group.Reset()
427
379
428
380
def add(self):
429
381
"""Derived from the Avahi example code"""
430
382
self.remove()
447
399
dbus.UInt16(self.port),
448
400
avahi.string_array_to_txt_array(self.TXT))
449
401
self.group.Commit()
450
402
451
403
def entry_group_state_changed(self, state, error):
452
404
"""Derived from the Avahi example code"""
453
405
logger.debug("Avahi entry group state change: %i", state)
454
406
455
407
if state == avahi.ENTRY_GROUP_ESTABLISHED:
456
408
logger.debug("Zeroconf service established.")
457
409
elif state == avahi.ENTRY_GROUP_COLLISION:
461
413
logger.critical("Avahi: Error in group state changed %s",
462
414
str(error))
463
415
raise AvahiGroupError("State changed: {!s}".format(error))
464
416
465
417
def cleanup(self):
466
418
"""Derived from the Avahi example code"""
467
419
if self.group is not None:
472
424
pass
473
425
self.group = None
474
426
self.remove()
475
427
476
428
def server_state_changed(self, state, error=None):
477
429
"""Derived from the Avahi example code"""
478
430
logger.debug("Avahi server state change: %i", state)
507
459
logger.debug("Unknown state: %r", state)
508
460
else:
509
461
logger.debug("Unknown state: %r: %r", state, error)
510
462
511
463
def activate(self):
512
464
"""Derived from the Avahi example code"""
513
465
if self.server is None:
524
476
class AvahiServiceToSyslog(AvahiService):
525
477
def rename(self, *args, **kwargs):
526
478
"""Add the new name to the syslog messages"""
527
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
479
ret = AvahiService.rename(self, *args, **kwargs)
528
480
syslogger.setFormatter(logging.Formatter(
529
481
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
482
.format(self.name)))
531
483
return ret
532
484
533
534
485
# Pretend that we have a GnuTLS module
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
537
538
library = ctypes.util.find_library("gnutls")
539
if library is None:
540
library = ctypes.util.find_library("gnutls-deb0")
541
_library = ctypes.cdll.LoadLibrary(library)
542
del library
543
486
class GnuTLS(object):
487
"""This isn't so much a class as it is a module-like namespace.
488
It is instantiated once, and simulates having a GnuTLS module."""
489
490
_library = ctypes.cdll.LoadLibrary(
491
ctypes.util.find_library("gnutls"))
492
_need_version = b"3.3.0"
493
def __init__(self):
494
# Need to use class name "GnuTLS" here, since this method is
495
# called before the assignment to the "gnutls" global variable
496
# happens.
497
if GnuTLS.check_version(self._need_version) is None:
498
raise GnuTLS.Error("Needs GnuTLS {} or later"
499
.format(self._need_version))
500
544
501
# Unless otherwise indicated, the constants and types below are
545
502
# all from the gnutls/gnutls.h C header file.
546
503
547
504
# Constants
548
505
E_SUCCESS = 0
549
506
E_INTERRUPTED = -52
550
507
E_AGAIN = -28
551
508
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
553
509
CLIENT = 2
554
510
SHUT_RDWR = 0
555
511
CRD_CERTIFICATE = 1
556
512
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
562
513
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
563
514
564
515
# Types
565
516
class session_int(ctypes.Structure):
566
517
_fields_ = []
567
518
session_t = ctypes.POINTER(session_int)
568
569
519
class certificate_credentials_st(ctypes.Structure):
570
520
_fields_ = []
571
521
certificate_credentials_t = ctypes.POINTER(
572
522
certificate_credentials_st)
573
523
certificate_type_t = ctypes.c_int
574
575
524
class datum_t(ctypes.Structure):
576
525
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
577
526
('size', ctypes.c_uint)]
578
579
527
class openpgp_crt_int(ctypes.Structure):
580
528
_fields_ = []
581
529
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
530
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
583
531
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
584
532
credentials_type_t = ctypes.c_int
585
533
transport_ptr_t = ctypes.c_void_p
586
534
close_request_t = ctypes.c_int
587
535
588
536
# Exceptions
589
537
class Error(Exception):
590
def __init__(self, message=None, code=None, args=()):
538
# We need to use the class name "GnuTLS" here, since this
539
# exception might be raised from within GnuTLS.__init__,
540
# which is called before the assignment to the "gnutls"
541
# global variable has happened.
542
def __init__(self, message = None, code = None, args=()):
591
543
# Default usage is by a message string, but if a return
592
544
# code is passed, convert it to a string with
593
545
# gnutls.strerror()
594
546
self.code = code
595
547
if message is None and code is not None:
596
message = gnutls.strerror(code)
597
return super(gnutls.Error, self).__init__(
548
message = GnuTLS.strerror(code)
549
return super(GnuTLS.Error, self).__init__(
598
550
message, *args)
599
551
600
552
class CertificateSecurityError(Error):
601
553
pass
602
554
603
555
# Classes
604
class Credentials:
556
class Credentials(object):
605
557
def __init__(self):
606
558
self._c_object = gnutls.certificate_credentials_t()
607
559
gnutls.certificate_allocate_credentials(
608
560
ctypes.byref(self._c_object))
609
561
self.type = gnutls.CRD_CERTIFICATE
610
562
611
563
def __del__(self):
612
564
gnutls.certificate_free_credentials(self._c_object)
613
614
class ClientSession:
615
def __init__(self, socket, credentials=None):
565
566
class ClientSession(object):
567
def __init__(self, socket, credentials = None):
616
568
self._c_object = gnutls.session_t()
617
gnutls_flags = gnutls.CLIENT
618
if gnutls.check_version(b"3.5.6"):
619
gnutls_flags |= gnutls.NO_TICKETS
620
if gnutls.has_rawpk:
621
gnutls_flags |= gnutls.ENABLE_RAWPK
622
gnutls.init(ctypes.byref(self._c_object), gnutls_flags)
623
del gnutls_flags
569
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
624
570
gnutls.set_default_priority(self._c_object)
625
571
gnutls.transport_set_ptr(self._c_object, socket.fileno())
626
572
gnutls.handshake_set_private_extensions(self._c_object,
632
578
ctypes.cast(credentials._c_object,
633
579
ctypes.c_void_p))
634
580
self.credentials = credentials
635
581
636
582
def __del__(self):
637
583
gnutls.deinit(self._c_object)
638
584
639
585
def handshake(self):
640
586
return gnutls.handshake(self._c_object)
641
587
642
588
def send(self, data):
643
589
data = bytes(data)
644
590
data_len = len(data)
646
592
data_len -= gnutls.record_send(self._c_object,
647
593
data[-data_len:],
648
594
data_len)
649
595
650
596
def bye(self):
651
597
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
652
598
653
599
# Error handling functions
654
600
def _error_code(result):
655
601
"""A function to raise exceptions on errors, suitable
657
603
if result >= 0:
658
604
return result
659
605
if result == gnutls.E_NO_CERTIFICATE_FOUND:
660
raise gnutls.CertificateSecurityError(code=result)
661
raise gnutls.Error(code=result)
662
606
raise gnutls.CertificateSecurityError(code = result)
607
raise gnutls.Error(code = result)
608
663
609
def _retry_on_error(result, func, arguments):
664
610
"""A function to retry on some errors, suitable
665
611
for the 'errcheck' attribute on ctypes functions"""
668
614
return _error_code(result)
669
615
result = func(*arguments)
670
616
return result
671
617
672
618
# Unless otherwise indicated, the function declarations below are
673
619
# all from the gnutls/gnutls.h C header file.
674
620
675
621
# Functions
676
622
priority_set_direct = _library.gnutls_priority_set_direct
677
623
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
678
624
ctypes.POINTER(ctypes.c_char_p)]
679
625
priority_set_direct.restype = _error_code
680
626
681
627
init = _library.gnutls_init
682
628
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
683
629
init.restype = _error_code
684
630
685
631
set_default_priority = _library.gnutls_set_default_priority
686
632
set_default_priority.argtypes = [session_t]
687
633
set_default_priority.restype = _error_code
688
634
689
635
record_send = _library.gnutls_record_send
690
636
record_send.argtypes = [session_t, ctypes.c_void_p,
691
637
ctypes.c_size_t]
692
638
record_send.restype = ctypes.c_ssize_t
693
639
record_send.errcheck = _retry_on_error
694
640
695
641
certificate_allocate_credentials = (
696
642
_library.gnutls_certificate_allocate_credentials)
697
643
certificate_allocate_credentials.argtypes = [
698
644
ctypes.POINTER(certificate_credentials_t)]
699
645
certificate_allocate_credentials.restype = _error_code
700
646
701
647
certificate_free_credentials = (
702
648
_library.gnutls_certificate_free_credentials)
703
certificate_free_credentials.argtypes = [
704
certificate_credentials_t]
649
certificate_free_credentials.argtypes = [certificate_credentials_t]
705
650
certificate_free_credentials.restype = None
706
651
707
652
handshake_set_private_extensions = (
708
653
_library.gnutls_handshake_set_private_extensions)
709
654
handshake_set_private_extensions.argtypes = [session_t,
710
655
ctypes.c_int]
711
656
handshake_set_private_extensions.restype = None
712
657
713
658
credentials_set = _library.gnutls_credentials_set
714
659
credentials_set.argtypes = [session_t, credentials_type_t,
715
660
ctypes.c_void_p]
716
661
credentials_set.restype = _error_code
717
662
718
663
strerror = _library.gnutls_strerror
719
664
strerror.argtypes = [ctypes.c_int]
720
665
strerror.restype = ctypes.c_char_p
721
666
722
667
certificate_type_get = _library.gnutls_certificate_type_get
723
668
certificate_type_get.argtypes = [session_t]
724
669
certificate_type_get.restype = _error_code
725
670
726
671
certificate_get_peers = _library.gnutls_certificate_get_peers
727
672
certificate_get_peers.argtypes = [session_t,
728
673
ctypes.POINTER(ctypes.c_uint)]
729
674
certificate_get_peers.restype = ctypes.POINTER(datum_t)
730
675
731
676
global_set_log_level = _library.gnutls_global_set_log_level
732
677
global_set_log_level.argtypes = [ctypes.c_int]
733
678
global_set_log_level.restype = None
734
679
735
680
global_set_log_function = _library.gnutls_global_set_log_function
736
681
global_set_log_function.argtypes = [log_func]
737
682
global_set_log_function.restype = None
738
683
739
684
deinit = _library.gnutls_deinit
740
685
deinit.argtypes = [session_t]
741
686
deinit.restype = None
742
687
743
688
handshake = _library.gnutls_handshake
744
689
handshake.argtypes = [session_t]
745
690
handshake.restype = _error_code
746
691
handshake.errcheck = _retry_on_error
747
692
748
693
transport_set_ptr = _library.gnutls_transport_set_ptr
749
694
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
750
695
transport_set_ptr.restype = None
751
696
752
697
bye = _library.gnutls_bye
753
698
bye.argtypes = [session_t, close_request_t]
754
699
bye.restype = _error_code
755
700
bye.errcheck = _retry_on_error
756
701
757
702
check_version = _library.gnutls_check_version
758
703
check_version.argtypes = [ctypes.c_char_p]
759
704
check_version.restype = ctypes.c_char_p
760
761
_need_version = b"3.3.0"
762
if check_version(_need_version) is None:
763
raise self.Error("Needs GnuTLS {} or later"
764
.format(_need_version))
765
766
_tls_rawpk_version = b"3.6.6"
767
has_rawpk = bool(check_version(_tls_rawpk_version))
768
769
if has_rawpk:
770
# Types
771
class pubkey_st(ctypes.Structure):
772
_fields = []
773
pubkey_t = ctypes.POINTER(pubkey_st)
774
775
x509_crt_fmt_t = ctypes.c_int
776
777
# All the function declarations below are from gnutls/abstract.h
778
pubkey_init = _library.gnutls_pubkey_init
779
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
780
pubkey_init.restype = _error_code
781
782
pubkey_import = _library.gnutls_pubkey_import
783
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
784
x509_crt_fmt_t]
785
pubkey_import.restype = _error_code
786
787
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
788
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
789
ctypes.POINTER(ctypes.c_ubyte),
790
ctypes.POINTER(ctypes.c_size_t)]
791
pubkey_get_key_id.restype = _error_code
792
793
pubkey_deinit = _library.gnutls_pubkey_deinit
794
pubkey_deinit.argtypes = [pubkey_t]
795
pubkey_deinit.restype = None
796
else:
797
# All the function declarations below are from gnutls/openpgp.h
798
799
openpgp_crt_init = _library.gnutls_openpgp_crt_init
800
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
801
openpgp_crt_init.restype = _error_code
802
803
openpgp_crt_import = _library.gnutls_openpgp_crt_import
804
openpgp_crt_import.argtypes = [openpgp_crt_t,
805
ctypes.POINTER(datum_t),
806
openpgp_crt_fmt_t]
807
openpgp_crt_import.restype = _error_code
808
809
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
810
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
811
ctypes.POINTER(ctypes.c_uint)]
812
openpgp_crt_verify_self.restype = _error_code
813
814
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
815
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
816
openpgp_crt_deinit.restype = None
817
818
openpgp_crt_get_fingerprint = (
819
_library.gnutls_openpgp_crt_get_fingerprint)
820
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
821
ctypes.c_void_p,
822
ctypes.POINTER(
823
ctypes.c_size_t)]
824
openpgp_crt_get_fingerprint.restype = _error_code
825
826
if check_version(b"3.6.4"):
827
certificate_type_get2 = _library.gnutls_certificate_type_get2
828
certificate_type_get2.argtypes = [session_t, ctypes.c_int]
829
certificate_type_get2.restype = _error_code
830
705
706
# All the function declarations below are from gnutls/openpgp.h
707
708
openpgp_crt_init = _library.gnutls_openpgp_crt_init
709
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
710
openpgp_crt_init.restype = _error_code
711
712
openpgp_crt_import = _library.gnutls_openpgp_crt_import
713
openpgp_crt_import.argtypes = [openpgp_crt_t,
714
ctypes.POINTER(datum_t),
715
openpgp_crt_fmt_t]
716
openpgp_crt_import.restype = _error_code
717
718
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
719
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
720
ctypes.POINTER(ctypes.c_uint)]
721
openpgp_crt_verify_self.restype = _error_code
722
723
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
724
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
725
openpgp_crt_deinit.restype = None
726
727
openpgp_crt_get_fingerprint = (
728
_library.gnutls_openpgp_crt_get_fingerprint)
729
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
730
ctypes.c_void_p,
731
ctypes.POINTER(
732
ctypes.c_size_t)]
733
openpgp_crt_get_fingerprint.restype = _error_code
734
831
735
# Remove non-public functions
832
736
del _error_code, _retry_on_error
833
737
# Create the global "gnutls" object, simulating a module
738
gnutls = GnuTLS()
834
739
835
740
def call_pipe(connection, # : multiprocessing.Connection
836
741
func, *args, **kwargs):
837
742
"""This function is meant to be called by multiprocessing.Process
838
743
839
744
This function runs func(*args, **kwargs), and writes the resulting
840
745
return value on the provided multiprocessing.Connection.
841
746
"""
842
747
connection.send(func(*args, **kwargs))
843
748
connection.close()
844
749
845
846
class Client:
750
class Client(object):
847
751
"""A representation of a client host served by this server.
848
752
849
753
Attributes:
850
754
approved: bool(); 'None' if not yet approved/disapproved
851
755
approval_delay: datetime.timedelta(); Time to wait for approval
852
756
approval_duration: datetime.timedelta(); Duration of one approval
853
checker: multiprocessing.Process(); a running checker process used
854
to see if the client lives. 'None' if no process is
855
running.
856
checker_callback_tag: a GLib event source tag, or None
757
checker: subprocess.Popen(); a running checker process used
758
to see if the client lives.
759
'None' if no process is running.
760
checker_callback_tag: a GObject event source tag, or None
857
761
checker_command: string; External command which is run to check
858
762
if client lives. %() expansions are done at
859
763
runtime with vars(self) as dict, so that for
860
764
instance %(name)s can be used in the command.
861
checker_initiator_tag: a GLib event source tag, or None
765
checker_initiator_tag: a GObject event source tag, or None
862
766
created: datetime.datetime(); (UTC) object creation
863
767
client_structure: Object describing what attributes a client has
864
768
and is used for storing the client at exit
865
769
current_checker_command: string; current running checker_command
866
disable_initiator_tag: a GLib event source tag, or None
770
disable_initiator_tag: a GObject event source tag, or None
867
771
enabled: bool()
868
772
fingerprint: string (40 or 32 hexadecimal digits); used to
869
uniquely identify an OpenPGP client
870
key_id: string (64 hexadecimal digits); used to uniquely identify
871
a client using raw public keys
773
uniquely identify the client
872
774
host: string; available for use by the checker command
873
775
interval: datetime.timedelta(); How often to start a new checker
874
776
last_approval_request: datetime.datetime(); (UTC) or None
890
792
disabled, or None
891
793
server_settings: The server_settings dict from main()
892
794
"""
893
795
894
796
runtime_expansions = ("approval_delay", "approval_duration",
895
"created", "enabled", "expires", "key_id",
797
"created", "enabled", "expires",
896
798
"fingerprint", "host", "interval",
897
799
"last_approval_request", "last_checked_ok",
898
800
"last_enabled", "name", "timeout")
907
809
"approved_by_default": "True",
908
810
"enabled": "True",
909
811
}
910
812
911
813
@staticmethod
912
814
def config_parser(config):
913
815
"""Construct a new dict of client settings of this form:
920
822
for client_name in config.sections():
921
823
section = dict(config.items(client_name))
922
824
client = settings[client_name] = {}
923
825
924
826
client["host"] = section["host"]
925
827
# Reformat values from string types to Python types
926
828
client["approved_by_default"] = config.getboolean(
927
829
client_name, "approved_by_default")
928
830
client["enabled"] = config.getboolean(client_name,
929
831
"enabled")
930
931
# Uppercase and remove spaces from key_id and fingerprint
932
# for later comparison purposes with return value from the
933
# key_id() and fingerprint() functions
934
client["key_id"] = (section.get("key_id", "").upper()
935
.replace(" ", ""))
832
833
# Uppercase and remove spaces from fingerprint for later
834
# comparison purposes with return value from the
835
# fingerprint() function
936
836
client["fingerprint"] = (section["fingerprint"].upper()
937
837
.replace(" ", ""))
938
838
if "secret" in section:
959
859
client["last_approval_request"] = None
960
860
client["last_checked_ok"] = None
961
861
client["last_checker_status"] = -2
962
862
963
863
return settings
964
965
def __init__(self, settings, name=None, server_settings=None):
864
865
def __init__(self, settings, name = None, server_settings=None):
966
866
self.name = name
967
867
if server_settings is None:
968
868
server_settings = {}
970
870
# adding all client settings
971
871
for setting, value in settings.items():
972
872
setattr(self, setting, value)
973
873
974
874
if self.enabled:
975
875
if not hasattr(self, "last_enabled"):
976
876
self.last_enabled = datetime.datetime.utcnow()
980
880
else:
981
881
self.last_enabled = None
982
882
self.expires = None
983
883
984
884
logger.debug("Creating client %r", self.name)
985
logger.debug(" Key ID: %s", self.key_id)
986
885
logger.debug(" Fingerprint: %s", self.fingerprint)
987
886
self.created = settings.get("created",
988
887
datetime.datetime.utcnow())
989
888
990
889
# attributes specific for this server instance
991
890
self.checker = None
992
891
self.checker_initiator_tag = None
1001
900
for attr in self.__dict__.keys()
1002
901
if not attr.startswith("_")]
1003
902
self.client_structure.append("client_structure")
1004
903
1005
904
for name, t in inspect.getmembers(
1006
905
type(self), lambda obj: isinstance(obj, property)):
1007
906
if not name.startswith("_"):
1008
907
self.client_structure.append(name)
1009
908
1010
909
# Send notice to process children that client state has changed
1011
910
def send_changedstate(self):
1012
911
with self.changedstate:
1013
912
self.changedstate.notify_all()
1014
913
1015
914
def enable(self):
1016
915
"""Start this client's checker and timeout hooks"""
1017
916
if getattr(self, "enabled", False):
1022
921
self.last_enabled = datetime.datetime.utcnow()
1023
922
self.init_checker()
1024
923
self.send_changedstate()
1025
924
1026
925
def disable(self, quiet=True):
1027
926
"""Disable this client."""
1028
927
if not getattr(self, "enabled", False):
1030
929
if not quiet:
1031
930
logger.info("Disabling client %s", self.name)
1032
931
if getattr(self, "disable_initiator_tag", None) is not None:
1033
GLib.source_remove(self.disable_initiator_tag)
932
GObject.source_remove(self.disable_initiator_tag)
1034
933
self.disable_initiator_tag = None
1035
934
self.expires = None
1036
935
if getattr(self, "checker_initiator_tag", None) is not None:
1037
GLib.source_remove(self.checker_initiator_tag)
936
GObject.source_remove(self.checker_initiator_tag)
1038
937
self.checker_initiator_tag = None
1039
938
self.stop_checker()
1040
939
self.enabled = False
1041
940
if not quiet:
1042
941
self.send_changedstate()
1043
# Do not run this again if called by a GLib.timeout_add
942
# Do not run this again if called by a GObject.timeout_add
1044
943
return False
1045
944
1046
945
def __del__(self):
1047
946
self.disable()
1048
947
1049
948
def init_checker(self):
1050
949
# Schedule a new checker to be started an 'interval' from now,
1051
950
# and every interval from then on.
1052
951
if self.checker_initiator_tag is not None:
1053
GLib.source_remove(self.checker_initiator_tag)
1054
self.checker_initiator_tag = GLib.timeout_add(
1055
random.randrange(int(self.interval.total_seconds() * 1000
1056
+ 1)),
952
GObject.source_remove(self.checker_initiator_tag)
953
self.checker_initiator_tag = GObject.timeout_add(
954
int(self.interval.total_seconds() * 1000),
1057
955
self.start_checker)
1058
956
# Schedule a disable() when 'timeout' has passed
1059
957
if self.disable_initiator_tag is not None:
1060
GLib.source_remove(self.disable_initiator_tag)
1061
self.disable_initiator_tag = GLib.timeout_add(
958
GObject.source_remove(self.disable_initiator_tag)
959
self.disable_initiator_tag = GObject.timeout_add(
1062
960
int(self.timeout.total_seconds() * 1000), self.disable)
1063
961
# Also start a new checker *right now*.
1064
962
self.start_checker()
1065
963
1066
964
def checker_callback(self, source, condition, connection,
1067
965
command):
1068
966
"""The checker has completed, so take appropriate actions."""
967
self.checker_callback_tag = None
968
self.checker = None
1069
969
# Read return code from connection (see call_pipe)
1070
970
returncode = connection.recv()
1071
971
connection.close()
1072
if self.checker is not None:
1073
self.checker.join()
1074
self.checker_callback_tag = None
1075
self.checker = None
1076
972
1077
973
if returncode >= 0:
1078
974
self.last_checker_status = returncode
1079
975
self.last_checker_signal = None
1089
985
logger.warning("Checker for %(name)s crashed?",
1090
986
vars(self))
1091
987
return False
1092
988
1093
989
def checked_ok(self):
1094
990
"""Assert that the client has been seen, alive and well."""
1095
991
self.last_checked_ok = datetime.datetime.utcnow()
1096
992
self.last_checker_status = 0
1097
993
self.last_checker_signal = None
1098
994
self.bump_timeout()
1099
995
1100
996
def bump_timeout(self, timeout=None):
1101
997
"""Bump up the timeout for this client."""
1102
998
if timeout is None:
1103
999
timeout = self.timeout
1104
1000
if self.disable_initiator_tag is not None:
1105
GLib.source_remove(self.disable_initiator_tag)
1001
GObject.source_remove(self.disable_initiator_tag)
1106
1002
self.disable_initiator_tag = None
1107
1003
if getattr(self, "enabled", False):
1108
self.disable_initiator_tag = GLib.timeout_add(
1004
self.disable_initiator_tag = GObject.timeout_add(
1109
1005
int(timeout.total_seconds() * 1000), self.disable)
1110
1006
self.expires = datetime.datetime.utcnow() + timeout
1111
1007
1112
1008
def need_approval(self):
1113
1009
self.last_approval_request = datetime.datetime.utcnow()
1114
1010
1115
1011
def start_checker(self):
1116
1012
"""Start a new checker subprocess if one is not running.
1117
1013
1118
1014
If a checker already exists, leave it running and do
1119
1015
nothing."""
1120
1016
# The reason for not killing a running checker is that if we
1125
1021
# checkers alone, the checker would have to take more time
1126
1022
# than 'timeout' for the client to be disabled, which is as it
1127
1023
# should be.
1128
1024
1129
1025
if self.checker is not None and not self.checker.is_alive():
1130
1026
logger.warning("Checker was not alive; joining")
1131
1027
self.checker.join()
1134
1030
if self.checker is None:
1135
1031
# Escape attributes for the shell
1136
1032
escaped_attrs = {
1137
attr: shlex.quote(str(getattr(self, attr)))
1138
for attr in self.runtime_expansions}
1033
attr: re.escape(str(getattr(self, attr)))
1034
for attr in self.runtime_expansions }
1139
1035
try:
1140
1036
command = self.checker_command % escaped_attrs
1141
1037
except TypeError as error:
1153
1049
# The exception is when not debugging but nevertheless
1154
1050
# running in the foreground; use the previously
1155
1051
# created wnull.
1156
popen_args = {"close_fds": True,
1157
"shell": True,
1158
"cwd": "/"}
1052
popen_args = { "close_fds": True,
1053
"shell": True,
1054
"cwd": "/" }
1159
1055
if (not self.server_settings["debug"]
1160
1056
and self.server_settings["foreground"]):
1161
1057
popen_args.update({"stdout": wnull,
1162
"stderr": wnull})
1163
pipe = multiprocessing.Pipe(duplex=False)
1058
"stderr": wnull })
1059
pipe = multiprocessing.Pipe(duplex = False)
1164
1060
self.checker = multiprocessing.Process(
1165
target=call_pipe,
1166
args=(pipe[1], subprocess.call, command),
1167
kwargs=popen_args)
1061
target = call_pipe,
1062
args = (pipe[1], subprocess.call, command),
1063
kwargs = popen_args)
1168
1064
self.checker.start()
1169
self.checker_callback_tag = GLib.io_add_watch(
1170
GLib.IOChannel.unix_new(pipe[0].fileno()),
1171
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1065
self.checker_callback_tag = GObject.io_add_watch(
1066
pipe[0].fileno(), GObject.IO_IN,
1172
1067
self.checker_callback, pipe[0], command)
1173
# Re-run this periodically if run by GLib.timeout_add
1068
# Re-run this periodically if run by GObject.timeout_add
1174
1069
return True
1175
1070
1176
1071
def stop_checker(self):
1177
1072
"""Force the checker process, if any, to stop."""
1178
1073
if self.checker_callback_tag:
1179
GLib.source_remove(self.checker_callback_tag)
1074
GObject.source_remove(self.checker_callback_tag)
1180
1075
self.checker_callback_tag = None
1181
1076
if getattr(self, "checker", None) is None:
1182
1077
return
1191
1086
byte_arrays=False):
1192
1087
"""Decorators for marking methods of a DBusObjectWithProperties to
1193
1088
become properties on the D-Bus.
1194
1089
1195
1090
The decorated method will be called with no arguments by "Get"
1196
1091
and with one argument by "Set".
1197
1092
1198
1093
The parameters, where they are supported, are the same as
1199
1094
dbus.service.method, except there is only "signature", since the
1200
1095
type from Get() and the type sent to Set() is the same.
1204
1099
if byte_arrays and signature != "ay":
1205
1100
raise ValueError("Byte arrays not supported for non-'ay'"
1206
1101
" signature {!r}".format(signature))
1207
1102
1208
1103
def decorator(func):
1209
1104
func._dbus_is_property = True
1210
1105
func._dbus_interface = dbus_interface
1213
1108
func._dbus_name = func.__name__
1214
1109
if func._dbus_name.endswith("_dbus_property"):
1215
1110
func._dbus_name = func._dbus_name[:-14]
1216
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1111
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1217
1112
return func
1218
1113
1219
1114
return decorator
1220
1115
1221
1116
1222
1117
def dbus_interface_annotations(dbus_interface):
1223
1118
"""Decorator for marking functions returning interface annotations
1224
1119
1225
1120
Usage:
1226
1121
1227
1122
@dbus_interface_annotations("org.example.Interface")
1228
1123
def _foo(self): # Function name does not matter
1229
1124
return {"org.freedesktop.DBus.Deprecated": "true",
1230
1125
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1231
1126
"false"}
1232
1127
"""
1233
1128
1234
1129
def decorator(func):
1235
1130
func._dbus_is_interface = True
1236
1131
func._dbus_interface = dbus_interface
1237
1132
func._dbus_name = dbus_interface
1238
1133
return func
1239
1134
1240
1135
return decorator
1241
1136
1242
1137
1243
1138
def dbus_annotations(annotations):
1244
1139
"""Decorator to annotate D-Bus methods, signals or properties
1245
1140
Usage:
1246
1141
1247
1142
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1248
1143
"org.freedesktop.DBus.Property."
1249
1144
"EmitsChangedSignal": "false"})
1251
1146
access="r")
1252
1147
def Property_dbus_property(self):
1253
1148
return dbus.Boolean(False)
1254
1149
1255
1150
See also the DBusObjectWithAnnotations class.
1256
1151
"""
1257
1152
1258
1153
def decorator(func):
1259
1154
func._dbus_annotations = annotations
1260
1155
return func
1261
1156
1262
1157
return decorator
1263
1158
1264
1159
1282
1177
1283
1178
class DBusObjectWithAnnotations(dbus.service.Object):
1284
1179
"""A D-Bus object with annotations.
1285
1180
1286
1181
Classes inheriting from this can use the dbus_annotations
1287
1182
decorator to add annotations to methods or signals.
1288
1183
"""
1289
1184
1290
1185
@staticmethod
1291
1186
def _is_dbus_thing(thing):
1292
1187
"""Returns a function testing if an attribute is a D-Bus thing
1293
1188
1294
1189
If called like _is_dbus_thing("method") it returns a function
1295
1190
suitable for use as predicate to inspect.getmembers().
1296
1191
"""
1297
1192
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1298
1193
False)
1299
1194
1300
1195
def _get_all_dbus_things(self, thing):
1301
1196
"""Returns a generator of (name, attribute) pairs
1302
1197
"""
1305
1200
for cls in self.__class__.__mro__
1306
1201
for name, athing in
1307
1202
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1308
1203
1309
1204
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1310
out_signature="s",
1311
path_keyword='object_path',
1312
connection_keyword='connection')
1205
out_signature = "s",
1206
path_keyword = 'object_path',
1207
connection_keyword = 'connection')
1313
1208
def Introspect(self, object_path, connection):
1314
1209
"""Overloading of standard D-Bus method.
1315
1210
1316
1211
Inserts annotation tags on methods and signals.
1317
1212
"""
1318
1213
xmlstring = dbus.service.Object.Introspect(self, object_path,
1319
1214
connection)
1320
1215
try:
1321
1216
document = xml.dom.minidom.parseString(xmlstring)
1322
1217
1323
1218
for if_tag in document.getElementsByTagName("interface"):
1324
1219
# Add annotation tags
1325
1220
for typ in ("method", "signal"):
1352
1247
if_tag.appendChild(ann_tag)
1353
1248
# Fix argument name for the Introspect method itself
1354
1249
if (if_tag.getAttribute("name")
1355
== dbus.INTROSPECTABLE_IFACE):
1250
== dbus.INTROSPECTABLE_IFACE):
1356
1251
for cn in if_tag.getElementsByTagName("method"):
1357
1252
if cn.getAttribute("name") == "Introspect":
1358
1253
for arg in cn.getElementsByTagName("arg"):
1371
1266
1372
1267
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1373
1268
"""A D-Bus object with properties.
1374
1269
1375
1270
Classes inheriting from this can use the dbus_service_property
1376
1271
decorator to expose methods as D-Bus properties. It exposes the
1377
1272
standard Get(), Set(), and GetAll() methods on the D-Bus.
1378
1273
"""
1379
1274
1380
1275
def _get_dbus_property(self, interface_name, property_name):
1381
1276
"""Returns a bound method if one exists which is a D-Bus
1382
1277
property with the specified name and interface.
1387
1282
if (value._dbus_name == property_name
1388
1283
and value._dbus_interface == interface_name):
1389
1284
return value.__get__(self)
1390
1285
1391
1286
# No such property
1392
1287
raise DBusPropertyNotFound("{}:{}.{}".format(
1393
1288
self.dbus_object_path, interface_name, property_name))
1394
1289
1395
1290
@classmethod
1396
1291
def _get_all_interface_names(cls):
1397
1292
"""Get a sequence of all interfaces supported by an object"""
1400
1295
for x in (inspect.getmro(cls))
1401
1296
for attr in dir(x))
1402
1297
if name is not None)
1403
1298
1404
1299
@dbus.service.method(dbus.PROPERTIES_IFACE,
1405
1300
in_signature="ss",
1406
1301
out_signature="v")
1414
1309
if not hasattr(value, "variant_level"):
1415
1310
return value
1416
1311
return type(value)(value, variant_level=value.variant_level+1)
1417
1312
1418
1313
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1419
1314
def Set(self, interface_name, property_name, value):
1420
1315
"""Standard D-Bus property Set() method, see D-Bus standard.
1429
1324
raise ValueError("Byte arrays not supported for non-"
1430
1325
"'ay' signature {!r}"
1431
1326
.format(prop._dbus_signature))
1432
value = dbus.ByteArray(bytes(value))
1327
value = dbus.ByteArray(b''.join(chr(byte)
1328
for byte in value))
1433
1329
prop(value)
1434
1330
1435
1331
@dbus.service.method(dbus.PROPERTIES_IFACE,
1436
1332
in_signature="s",
1437
1333
out_signature="a{sv}")
1438
1334
def GetAll(self, interface_name):
1439
1335
"""Standard D-Bus property GetAll() method, see D-Bus
1440
1336
standard.
1441
1337
1442
1338
Note: Will not include properties with access="write".
1443
1339
"""
1444
1340
properties = {}
1455
1351
properties[name] = value
1456
1352
continue
1457
1353
properties[name] = type(value)(
1458
value, variant_level=value.variant_level + 1)
1354
value, variant_level = value.variant_level + 1)
1459
1355
return dbus.Dictionary(properties, signature="sv")
1460
1356
1461
1357
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1462
1358
def PropertiesChanged(self, interface_name, changed_properties,
1463
1359
invalidated_properties):
1465
1361
standard.
1466
1362
"""
1467
1363
pass
1468
1364
1469
1365
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1470
1366
out_signature="s",
1471
1367
path_keyword='object_path',
1472
1368
connection_keyword='connection')
1473
1369
def Introspect(self, object_path, connection):
1474
1370
"""Overloading of standard D-Bus method.
1475
1371
1476
1372
Inserts property tags and interface annotation tags.
1477
1373
"""
1478
1374
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1480
1376
connection)
1481
1377
try:
1482
1378
document = xml.dom.minidom.parseString(xmlstring)
1483
1379
1484
1380
def make_tag(document, name, prop):
1485
1381
e = document.createElement("property")
1486
1382
e.setAttribute("name", name)
1487
1383
e.setAttribute("type", prop._dbus_signature)
1488
1384
e.setAttribute("access", prop._dbus_access)
1489
1385
return e
1490
1386
1491
1387
for if_tag in document.getElementsByTagName("interface"):
1492
1388
# Add property tags
1493
1389
for tag in (make_tag(document, name, prop)
1535
1431
exc_info=error)
1536
1432
return xmlstring
1537
1433
1538
1539
1434
try:
1540
1435
dbus.OBJECT_MANAGER_IFACE
1541
1436
except AttributeError:
1542
1437
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1543
1438
1544
1545
1439
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1546
1440
"""A D-Bus object with an ObjectManager.
1547
1441
1548
1442
Classes inheriting from this exposes the standard
1549
1443
GetManagedObjects call and the InterfacesAdded and
1550
1444
InterfacesRemoved signals on the standard
1551
1445
"org.freedesktop.DBus.ObjectManager" interface.
1552
1446
1553
1447
Note: No signals are sent automatically; they must be sent
1554
1448
manually.
1555
1449
"""
1556
1450
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1557
out_signature="a{oa{sa{sv}}}")
1451
out_signature = "a{oa{sa{sv}}}")
1558
1452
def GetManagedObjects(self):
1559
1453
"""This function must be overridden"""
1560
1454
raise NotImplementedError()
1561
1455
1562
1456
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1563
signature="oa{sa{sv}}")
1457
signature = "oa{sa{sv}}")
1564
1458
def InterfacesAdded(self, object_path, interfaces_and_properties):
1565
1459
pass
1566
1567
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1460
1461
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1568
1462
def InterfacesRemoved(self, object_path, interfaces):
1569
1463
pass
1570
1464
1571
1465
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1572
out_signature="s",
1573
path_keyword='object_path',
1574
connection_keyword='connection')
1466
out_signature = "s",
1467
path_keyword = 'object_path',
1468
connection_keyword = 'connection')
1575
1469
def Introspect(self, object_path, connection):
1576
1470
"""Overloading of standard D-Bus method.
1577
1471
1578
1472
Override return argument name of GetManagedObjects to be
1579
1473
"objpath_interfaces_and_properties"
1580
1474
"""
1583
1477
connection)
1584
1478
try:
1585
1479
document = xml.dom.minidom.parseString(xmlstring)
1586
1480
1587
1481
for if_tag in document.getElementsByTagName("interface"):
1588
1482
# Fix argument name for the GetManagedObjects method
1589
1483
if (if_tag.getAttribute("name")
1590
== dbus.OBJECT_MANAGER_IFACE):
1484
== dbus.OBJECT_MANAGER_IFACE):
1591
1485
for cn in if_tag.getElementsByTagName("method"):
1592
1486
if (cn.getAttribute("name")
1593
1487
== "GetManagedObjects"):
1603
1497
except (AttributeError, xml.dom.DOMException,
1604
1498
xml.parsers.expat.ExpatError) as error:
1605
1499
logger.error("Failed to override Introspection method",
1606
exc_info=error)
1500
exc_info = error)
1607
1501
return xmlstring
1608
1502
1609
1610
1503
def datetime_to_dbus(dt, variant_level=0):
1611
1504
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1612
1505
if dt is None:
1613
return dbus.String("", variant_level=variant_level)
1506
return dbus.String("", variant_level = variant_level)
1614
1507
return dbus.String(dt.isoformat(), variant_level=variant_level)
1615
1508
1616
1509
1619
1512
dbus.service.Object, it will add alternate D-Bus attributes with
1620
1513
interface names according to the "alt_interface_names" mapping.
1621
1514
Usage:
1622
1515
1623
1516
@alternate_dbus_interfaces({"org.example.Interface":
1624
1517
"net.example.AlternateInterface"})
1625
1518
class SampleDBusObject(dbus.service.Object):
1626
1519
@dbus.service.method("org.example.Interface")
1627
1520
def SampleDBusMethod():
1628
1521
pass
1629
1522
1630
1523
The above "SampleDBusMethod" on "SampleDBusObject" will be
1631
1524
reachable via two interfaces: "org.example.Interface" and
1632
1525
"net.example.AlternateInterface", the latter of which will have
1633
1526
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1634
1527
"true", unless "deprecate" is passed with a False value.
1635
1528
1636
1529
This works for methods and signals, and also for D-Bus properties
1637
1530
(from DBusObjectWithProperties) and interfaces (from the
1638
1531
dbus_interface_annotations decorator).
1639
1532
"""
1640
1533
1641
1534
def wrapper(cls):
1642
1535
for orig_interface_name, alt_interface_name in (
1643
1536
alt_interface_names.items()):
1683
1576
attribute._dbus_annotations)
1684
1577
except AttributeError:
1685
1578
pass
1686
1687
1579
# Define a creator of a function to call both the
1688
1580
# original and alternate functions, so both the
1689
1581
# original and alternate signals gets sent when
1692
1584
"""This function is a scope container to pass
1693
1585
func1 and func2 to the "call_both" function
1694
1586
outside of its arguments"""
1695
1587
1696
1588
@functools.wraps(func2)
1697
1589
def call_both(*args, **kwargs):
1698
1590
"""This function will emit two D-Bus
1699
1591
signals by calling func1 and func2"""
1700
1592
func1(*args, **kwargs)
1701
1593
func2(*args, **kwargs)
1702
# Make wrapper function look like a D-Bus
1703
# signal
1594
# Make wrapper function look like a D-Bus signal
1704
1595
for name, attr in inspect.getmembers(func2):
1705
1596
if name.startswith("_dbus_"):
1706
1597
setattr(call_both, name, attr)
1707
1598
1708
1599
return call_both
1709
1600
# Create the "call_both" function and add it to
1710
1601
# the class
1756
1647
(copy_function(attribute)))
1757
1648
if deprecate:
1758
1649
# Deprecate all alternate interfaces
1759
iname = "_AlternateDBusNames_interface_annotation{}"
1650
iname="_AlternateDBusNames_interface_annotation{}"
1760
1651
for interface_name in interface_names:
1761
1652
1762
1653
@dbus_interface_annotations(interface_name)
1763
1654
def func(self):
1764
return {"org.freedesktop.DBus.Deprecated":
1765
"true"}
1655
return { "org.freedesktop.DBus.Deprecated":
1656
"true" }
1766
1657
# Find an unused name
1767
1658
for aname in (iname.format(i)
1768
1659
for i in itertools.count()):
1779
1670
cls = type("{}Alternate".format(cls.__name__),
1780
1671
(cls, ), attr)
1781
1672
return cls
1782
1673
1783
1674
return wrapper
1784
1675
1785
1676
1787
1678
"se.bsnet.fukt.Mandos"})
1788
1679
class ClientDBus(Client, DBusObjectWithProperties):
1789
1680
"""A Client class using D-Bus
1790
1681
1791
1682
Attributes:
1792
1683
dbus_object_path: dbus.ObjectPath
1793
1684
bus: dbus.SystemBus()
1794
1685
"""
1795
1686
1796
1687
runtime_expansions = (Client.runtime_expansions
1797
1688
+ ("dbus_object_path", ))
1798
1689
1799
1690
_interface = "se.recompile.Mandos.Client"
1800
1691
1801
1692
# dbus.service.Object doesn't use super(), so we can't either.
1802
1803
def __init__(self, bus=None, *args, **kwargs):
1693
1694
def __init__(self, bus = None, *args, **kwargs):
1804
1695
self.bus = bus
1805
1696
Client.__init__(self, *args, **kwargs)
1806
1697
# Only now, when this client is initialized, can it show up on
1812
1703
"/clients/" + client_object_name)
1813
1704
DBusObjectWithProperties.__init__(self, self.bus,
1814
1705
self.dbus_object_path)
1815
1706
1816
1707
def notifychangeproperty(transform_func, dbus_name,
1817
1708
type_func=lambda x: x,
1818
1709
variant_level=1,
1820
1711
_interface=_interface):
1821
1712
""" Modify a variable so that it's a property which announces
1822
1713
its changes to DBus.
1823
1714
1824
1715
transform_fun: Function that takes a value and a variant_level
1825
1716
and transforms it to a D-Bus type.
1826
1717
dbus_name: D-Bus name of the variable
1829
1720
variant_level: D-Bus variant level. Default: 1
1830
1721
"""
1831
1722
attrname = "_{}".format(dbus_name)
1832
1723
1833
1724
def setter(self, value):
1834
1725
if hasattr(self, "dbus_object_path"):
1835
1726
if (not hasattr(self, attrname) or
1842
1733
else:
1843
1734
dbus_value = transform_func(
1844
1735
type_func(value),
1845
variant_level=variant_level)
1736
variant_level = variant_level)
1846
1737
self.PropertyChanged(dbus.String(dbus_name),
1847
1738
dbus_value)
1848
1739
self.PropertiesChanged(
1849
1740
_interface,
1850
dbus.Dictionary({dbus.String(dbus_name):
1851
dbus_value}),
1741
dbus.Dictionary({ dbus.String(dbus_name):
1742
dbus_value }),
1852
1743
dbus.Array())
1853
1744
setattr(self, attrname, value)
1854
1745
1855
1746
return property(lambda self: getattr(self, attrname), setter)
1856
1747
1857
1748
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1858
1749
approvals_pending = notifychangeproperty(dbus.Boolean,
1859
1750
"ApprovalPending",
1860
type_func=bool)
1751
type_func = bool)
1861
1752
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1862
1753
last_enabled = notifychangeproperty(datetime_to_dbus,
1863
1754
"LastEnabled")
1864
1755
checker = notifychangeproperty(
1865
1756
dbus.Boolean, "CheckerRunning",
1866
type_func=lambda checker: checker is not None)
1757
type_func = lambda checker: checker is not None)
1867
1758
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1868
1759
"LastCheckedOK")
1869
1760
last_checker_status = notifychangeproperty(dbus.Int16,
1874
1765
"ApprovedByDefault")
1875
1766
approval_delay = notifychangeproperty(
1876
1767
dbus.UInt64, "ApprovalDelay",
1877
type_func=lambda td: td.total_seconds() * 1000)
1768
type_func = lambda td: td.total_seconds() * 1000)
1878
1769
approval_duration = notifychangeproperty(
1879
1770
dbus.UInt64, "ApprovalDuration",
1880
type_func=lambda td: td.total_seconds() * 1000)
1771
type_func = lambda td: td.total_seconds() * 1000)
1881
1772
host = notifychangeproperty(dbus.String, "Host")
1882
1773
timeout = notifychangeproperty(
1883
1774
dbus.UInt64, "Timeout",
1884
type_func=lambda td: td.total_seconds() * 1000)
1775
type_func = lambda td: td.total_seconds() * 1000)
1885
1776
extended_timeout = notifychangeproperty(
1886
1777
dbus.UInt64, "ExtendedTimeout",
1887
type_func=lambda td: td.total_seconds() * 1000)
1778
type_func = lambda td: td.total_seconds() * 1000)
1888
1779
interval = notifychangeproperty(
1889
1780
dbus.UInt64, "Interval",
1890
type_func=lambda td: td.total_seconds() * 1000)
1781
type_func = lambda td: td.total_seconds() * 1000)
1891
1782
checker_command = notifychangeproperty(dbus.String, "Checker")
1892
1783
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1893
1784
invalidate_only=True)
1894
1785
1895
1786
del notifychangeproperty
1896
1787
1897
1788
def __del__(self, *args, **kwargs):
1898
1789
try:
1899
1790
self.remove_from_connection()
1902
1793
if hasattr(DBusObjectWithProperties, "__del__"):
1903
1794
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1904
1795
Client.__del__(self, *args, **kwargs)
1905
1796
1906
1797
def checker_callback(self, source, condition,
1907
1798
connection, command, *args, **kwargs):
1908
1799
ret = Client.checker_callback(self, source, condition,
1924
1815
| self.last_checker_signal),
1925
1816
dbus.String(command))
1926
1817
return ret
1927
1818
1928
1819
def start_checker(self, *args, **kwargs):
1929
1820
old_checker_pid = getattr(self.checker, "pid", None)
1930
1821
r = Client.start_checker(self, *args, **kwargs)
1934
1825
# Emit D-Bus signal
1935
1826
self.CheckerStarted(self.current_checker_command)
1936
1827
return r
1937
1828
1938
1829
def _reset_approved(self):
1939
1830
self.approved = None
1940
1831
return False
1941
1832
1942
1833
def approve(self, value=True):
1943
1834
self.approved = value
1944
GLib.timeout_add(int(self.approval_duration.total_seconds()
1945
* 1000), self._reset_approved)
1835
GObject.timeout_add(int(self.approval_duration.total_seconds()
1836
* 1000), self._reset_approved)
1946
1837
self.send_changedstate()
1947
1948
# D-Bus methods, signals & properties
1949
1950
# Interfaces
1951
1952
# Signals
1953
1838
1839
## D-Bus methods, signals & properties
1840
1841
## Interfaces
1842
1843
## Signals
1844
1954
1845
# CheckerCompleted - signal
1955
1846
@dbus.service.signal(_interface, signature="nxs")
1956
1847
def CheckerCompleted(self, exitcode, waitstatus, command):
1957
1848
"D-Bus signal"
1958
1849
pass
1959
1850
1960
1851
# CheckerStarted - signal
1961
1852
@dbus.service.signal(_interface, signature="s")
1962
1853
def CheckerStarted(self, command):
1963
1854
"D-Bus signal"
1964
1855
pass
1965
1856
1966
1857
# PropertyChanged - signal
1967
1858
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1968
1859
@dbus.service.signal(_interface, signature="sv")
1969
1860
def PropertyChanged(self, property, value):
1970
1861
"D-Bus signal"
1971
1862
pass
1972
1863
1973
1864
# GotSecret - signal
1974
1865
@dbus.service.signal(_interface)
1975
1866
def GotSecret(self):
1978
1869
server to mandos-client
1979
1870
"""
1980
1871
pass
1981
1872
1982
1873
# Rejected - signal
1983
1874
@dbus.service.signal(_interface, signature="s")
1984
1875
def Rejected(self, reason):
1985
1876
"D-Bus signal"
1986
1877
pass
1987
1878
1988
1879
# NeedApproval - signal
1989
1880
@dbus.service.signal(_interface, signature="tb")
1990
1881
def NeedApproval(self, timeout, default):
1991
1882
"D-Bus signal"
1992
1883
return self.need_approval()
1993
1994
# Methods
1995
1884
1885
## Methods
1886
1996
1887
# Approve - method
1997
1888
@dbus.service.method(_interface, in_signature="b")
1998
1889
def Approve(self, value):
1999
1890
self.approve(value)
2000
1891
2001
1892
# CheckedOK - method
2002
1893
@dbus.service.method(_interface)
2003
1894
def CheckedOK(self):
2004
1895
self.checked_ok()
2005
1896
2006
1897
# Enable - method
2007
1898
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2008
1899
@dbus.service.method(_interface)
2009
1900
def Enable(self):
2010
1901
"D-Bus method"
2011
1902
self.enable()
2012
1903
2013
1904
# StartChecker - method
2014
1905
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2015
1906
@dbus.service.method(_interface)
2016
1907
def StartChecker(self):
2017
1908
"D-Bus method"
2018
1909
self.start_checker()
2019
1910
2020
1911
# Disable - method
2021
1912
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2022
1913
@dbus.service.method(_interface)
2023
1914
def Disable(self):
2024
1915
"D-Bus method"
2025
1916
self.disable()
2026
1917
2027
1918
# StopChecker - method
2028
1919
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
2029
1920
@dbus.service.method(_interface)
2030
1921
def StopChecker(self):
2031
1922
self.stop_checker()
2032
2033
# Properties
2034
1923
1924
## Properties
1925
2035
1926
# ApprovalPending - property
2036
1927
@dbus_service_property(_interface, signature="b", access="read")
2037
1928
def ApprovalPending_dbus_property(self):
2038
1929
return dbus.Boolean(bool(self.approvals_pending))
2039
1930
2040
1931
# ApprovedByDefault - property
2041
1932
@dbus_service_property(_interface,
2042
1933
signature="b",
2045
1936
if value is None: # get
2046
1937
return dbus.Boolean(self.approved_by_default)
2047
1938
self.approved_by_default = bool(value)
2048
1939
2049
1940
# ApprovalDelay - property
2050
1941
@dbus_service_property(_interface,
2051
1942
signature="t",
2055
1946
return dbus.UInt64(self.approval_delay.total_seconds()
2056
1947
* 1000)
2057
1948
self.approval_delay = datetime.timedelta(0, 0, 0, value)
2058
1949
2059
1950
# ApprovalDuration - property
2060
1951
@dbus_service_property(_interface,
2061
1952
signature="t",
2065
1956
return dbus.UInt64(self.approval_duration.total_seconds()
2066
1957
* 1000)
2067
1958
self.approval_duration = datetime.timedelta(0, 0, 0, value)
2068
1959
2069
1960
# Name - property
2070
1961
@dbus_annotations(
2071
1962
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2072
1963
@dbus_service_property(_interface, signature="s", access="read")
2073
1964
def Name_dbus_property(self):
2074
1965
return dbus.String(self.name)
2075
2076
# KeyID - property
2077
@dbus_annotations(
2078
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2079
@dbus_service_property(_interface, signature="s", access="read")
2080
def KeyID_dbus_property(self):
2081
return dbus.String(self.key_id)
2082
1966
2083
1967
# Fingerprint - property
2084
1968
@dbus_annotations(
2085
1969
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2086
1970
@dbus_service_property(_interface, signature="s", access="read")
2087
1971
def Fingerprint_dbus_property(self):
2088
1972
return dbus.String(self.fingerprint)
2089
1973
2090
1974
# Host - property
2091
1975
@dbus_service_property(_interface,
2092
1976
signature="s",
2095
1979
if value is None: # get
2096
1980
return dbus.String(self.host)
2097
1981
self.host = str(value)
2098
1982
2099
1983
# Created - property
2100
1984
@dbus_annotations(
2101
1985
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2102
1986
@dbus_service_property(_interface, signature="s", access="read")
2103
1987
def Created_dbus_property(self):
2104
1988
return datetime_to_dbus(self.created)
2105
1989
2106
1990
# LastEnabled - property
2107
1991
@dbus_service_property(_interface, signature="s", access="read")
2108
1992
def LastEnabled_dbus_property(self):
2109
1993
return datetime_to_dbus(self.last_enabled)
2110
1994
2111
1995
# Enabled - property
2112
1996
@dbus_service_property(_interface,
2113
1997
signature="b",
2119
2003
self.enable()
2120
2004
else:
2121
2005
self.disable()
2122
2006
2123
2007
# LastCheckedOK - property
2124
2008
@dbus_service_property(_interface,
2125
2009
signature="s",
2129
2013
self.checked_ok()
2130
2014
return
2131
2015
return datetime_to_dbus(self.last_checked_ok)
2132
2016
2133
2017
# LastCheckerStatus - property
2134
2018
@dbus_service_property(_interface, signature="n", access="read")
2135
2019
def LastCheckerStatus_dbus_property(self):
2136
2020
return dbus.Int16(self.last_checker_status)
2137
2021
2138
2022
# Expires - property
2139
2023
@dbus_service_property(_interface, signature="s", access="read")
2140
2024
def Expires_dbus_property(self):
2141
2025
return datetime_to_dbus(self.expires)
2142
2026
2143
2027
# LastApprovalRequest - property
2144
2028
@dbus_service_property(_interface, signature="s", access="read")
2145
2029
def LastApprovalRequest_dbus_property(self):
2146
2030
return datetime_to_dbus(self.last_approval_request)
2147
2031
2148
2032
# Timeout - property
2149
2033
@dbus_service_property(_interface,
2150
2034
signature="t",
2165
2049
if (getattr(self, "disable_initiator_tag", None)
2166
2050
is None):
2167
2051
return
2168
GLib.source_remove(self.disable_initiator_tag)
2169
self.disable_initiator_tag = GLib.timeout_add(
2052
GObject.source_remove(self.disable_initiator_tag)
2053
self.disable_initiator_tag = GObject.timeout_add(
2170
2054
int((self.expires - now).total_seconds() * 1000),
2171
2055
self.disable)
2172
2056
2173
2057
# ExtendedTimeout - property
2174
2058
@dbus_service_property(_interface,
2175
2059
signature="t",
2179
2063
return dbus.UInt64(self.extended_timeout.total_seconds()
2180
2064
* 1000)
2181
2065
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2182
2066
2183
2067
# Interval - property
2184
2068
@dbus_service_property(_interface,
2185
2069
signature="t",
2192
2076
return
2193
2077
if self.enabled:
2194
2078
# Reschedule checker run
2195
GLib.source_remove(self.checker_initiator_tag)
2196
self.checker_initiator_tag = GLib.timeout_add(
2079
GObject.source_remove(self.checker_initiator_tag)
2080
self.checker_initiator_tag = GObject.timeout_add(
2197
2081
value, self.start_checker)
2198
self.start_checker() # Start one now, too
2199
2082
self.start_checker() # Start one now, too
2083
2200
2084
# Checker - property
2201
2085
@dbus_service_property(_interface,
2202
2086
signature="s",
2205
2089
if value is None: # get
2206
2090
return dbus.String(self.checker_command)
2207
2091
self.checker_command = str(value)
2208
2092
2209
2093
# CheckerRunning - property
2210
2094
@dbus_service_property(_interface,
2211
2095
signature="b",
2217
2101
self.start_checker()
2218
2102
else:
2219
2103
self.stop_checker()
2220
2104
2221
2105
# ObjectPath - property
2222
2106
@dbus_annotations(
2223
2107
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2224
2108
"org.freedesktop.DBus.Deprecated": "true"})
2225
2109
@dbus_service_property(_interface, signature="o", access="read")
2226
2110
def ObjectPath_dbus_property(self):
2227
return self.dbus_object_path # is already a dbus.ObjectPath
2228
2111
return self.dbus_object_path # is already a dbus.ObjectPath
2112
2229
2113
# Secret = property
2230
2114
@dbus_annotations(
2231
2115
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2236
2120
byte_arrays=True)
2237
2121
def Secret_dbus_property(self, value):
2238
2122
self.secret = bytes(value)
2239
2123
2240
2124
del _interface
2241
2125
2242
2126
2243
class ProxyClient:
2244
def __init__(self, child_pipe, key_id, fpr, address):
2127
class ProxyClient(object):
2128
def __init__(self, child_pipe, fpr, address):
2245
2129
self._pipe = child_pipe
2246
self._pipe.send(('init', key_id, fpr, address))
2130
self._pipe.send(('init', fpr, address))
2247
2131
if not self._pipe.recv():
2248
raise KeyError(key_id or fpr)
2249
2132
raise KeyError(fpr)
2133
2250
2134
def __getattribute__(self, name):
2251
2135
if name == '_pipe':
2252
2136
return super(ProxyClient, self).__getattribute__(name)
2255
2139
if data[0] == 'data':
2256
2140
return data[1]
2257
2141
if data[0] == 'function':
2258
2142
2259
2143
def func(*args, **kwargs):
2260
2144
self._pipe.send(('funcall', name, args, kwargs))
2261
2145
return self._pipe.recv()[1]
2262
2146
2263
2147
return func
2264
2148
2265
2149
def __setattr__(self, name, value):
2266
2150
if name == '_pipe':
2267
2151
return super(ProxyClient, self).__setattr__(name, value)
2270
2154
2271
2155
class ClientHandler(socketserver.BaseRequestHandler, object):
2272
2156
"""A class to handle client connections.
2273
2157
2274
2158
Instantiated once for each connection to handle it.
2275
2159
Note: This will run in its own forked process."""
2276
2160
2277
2161
def handle(self):
2278
2162
with contextlib.closing(self.server.child_pipe) as child_pipe:
2279
2163
logger.info("TCP connection from: %s",
2280
2164
str(self.client_address))
2281
2165
logger.debug("Pipe FD: %d",
2282
2166
self.server.child_pipe.fileno())
2283
2167
2284
2168
session = gnutls.ClientSession(self.request)
2285
2286
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2287
# "+AES-256-CBC", "+SHA1",
2288
# "+COMP-NULL", "+CTYPE-OPENPGP",
2289
# "+DHE-DSS"))
2169
2170
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2171
# "+AES-256-CBC", "+SHA1",
2172
# "+COMP-NULL", "+CTYPE-OPENPGP",
2173
# "+DHE-DSS"))
2290
2174
# Use a fallback default, since this MUST be set.
2291
2175
priority = self.server.gnutls_priority
2292
2176
if priority is None:
2293
2177
priority = "NORMAL"
2294
gnutls.priority_set_direct(session._c_object,
2295
priority.encode("utf-8"),
2178
gnutls.priority_set_direct(session._c_object, priority,
2296
2179
None)
2297
2180
2298
2181
# Start communication using the Mandos protocol
2299
2182
# Get protocol number
2300
2183
line = self.request.makefile().readline()
2305
2188
except (ValueError, IndexError, RuntimeError) as error:
2306
2189
logger.error("Unknown protocol version: %s", error)
2307
2190
return
2308
2191
2309
2192
# Start GnuTLS connection
2310
2193
try:
2311
2194
session.handshake()
2315
2198
# established. Just abandon the request.
2316
2199
return
2317
2200
logger.debug("Handshake succeeded")
2318
2201
2319
2202
approval_required = False
2320
2203
try:
2321
if gnutls.has_rawpk:
2322
fpr = b""
2323
try:
2324
key_id = self.key_id(
2325
self.peer_certificate(session))
2326
except (TypeError, gnutls.Error) as error:
2327
logger.warning("Bad certificate: %s", error)
2328
return
2329
logger.debug("Key ID: %s", key_id)
2330
2331
else:
2332
key_id = b""
2333
try:
2334
fpr = self.fingerprint(
2335
self.peer_certificate(session))
2336
except (TypeError, gnutls.Error) as error:
2337
logger.warning("Bad certificate: %s", error)
2338
return
2339
logger.debug("Fingerprint: %s", fpr)
2340
2341
try:
2342
client = ProxyClient(child_pipe, key_id, fpr,
2204
try:
2205
fpr = self.fingerprint(
2206
self.peer_certificate(session))
2207
except (TypeError, gnutls.Error) as error:
2208
logger.warning("Bad certificate: %s", error)
2209
return
2210
logger.debug("Fingerprint: %s", fpr)
2211
2212
try:
2213
client = ProxyClient(child_pipe, fpr,
2343
2214
self.client_address)
2344
2215
except KeyError:
2345
2216
return
2346
2217
2347
2218
if client.approval_delay:
2348
2219
delay = client.approval_delay
2349
2220
client.approvals_pending += 1
2350
2221
approval_required = True
2351
2222
2352
2223
while True:
2353
2224
if not client.enabled:
2354
2225
logger.info("Client %s is disabled",
2357
2228
# Emit D-Bus signal
2358
2229
client.Rejected("Disabled")
2359
2230
return
2360
2231
2361
2232
if client.approved or not client.approval_delay:
2362
# We are approved or approval is disabled
2233
#We are approved or approval is disabled
2363
2234
break
2364
2235
elif client.approved is None:
2365
2236
logger.info("Client %s needs approval",
2376
2247
# Emit D-Bus signal
2377
2248
client.Rejected("Denied")
2378
2249
return
2379
2380
# wait until timeout or approved
2250
2251
#wait until timeout or approved
2381
2252
time = datetime.datetime.now()
2382
2253
client.changedstate.acquire()
2383
2254
client.changedstate.wait(delay.total_seconds())
2396
2267
break
2397
2268
else:
2398
2269
delay -= time2 - time
2399
2270
2400
2271
try:
2401
2272
session.send(client.secret)
2402
2273
except gnutls.Error as error:
2403
2274
logger.warning("gnutls send failed",
2404
exc_info=error)
2275
exc_info = error)
2405
2276
return
2406
2277
2407
2278
logger.info("Sending secret to %s", client.name)
2408
2279
# bump the timeout using extended_timeout
2409
2280
client.bump_timeout(client.extended_timeout)
2410
2281
if self.server.use_dbus:
2411
2282
# Emit D-Bus signal
2412
2283
client.GotSecret()
2413
2284
2414
2285
finally:
2415
2286
if approval_required:
2416
2287
client.approvals_pending -= 1
2419
2290
except gnutls.Error as error:
2420
2291
logger.warning("GnuTLS bye failed",
2421
2292
exc_info=error)
2422
2293
2423
2294
@staticmethod
2424
2295
def peer_certificate(session):
2425
"Return the peer's certificate as a bytestring"
2426
try:
2427
cert_type = gnutls.certificate_type_get2(session._c_object,
2428
gnutls.CTYPE_PEERS)
2429
except AttributeError:
2430
cert_type = gnutls.certificate_type_get(session._c_object)
2431
if gnutls.has_rawpk:
2432
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2433
else:
2434
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2435
# If not a valid certificate type...
2436
if cert_type not in valid_cert_types:
2437
logger.info("Cert type %r not in %r", cert_type,
2438
valid_cert_types)
2296
"Return the peer's OpenPGP certificate as a bytestring"
2297
# If not an OpenPGP certificate...
2298
if (gnutls.certificate_type_get(session._c_object)
2299
!= gnutls.CRT_OPENPGP):
2439
2300
# ...return invalid data
2440
2301
return b""
2441
2302
list_size = ctypes.c_uint(1)
2447
2308
return None
2448
2309
cert = cert_list[0]
2449
2310
return ctypes.string_at(cert.data, cert.size)
2450
2451
@staticmethod
2452
def key_id(certificate):
2453
"Convert a certificate bytestring to a hexdigit key ID"
2454
# New GnuTLS "datum" with the public key
2455
datum = gnutls.datum_t(
2456
ctypes.cast(ctypes.c_char_p(certificate),
2457
ctypes.POINTER(ctypes.c_ubyte)),
2458
ctypes.c_uint(len(certificate)))
2459
# XXX all these need to be created in the gnutls "module"
2460
# New empty GnuTLS certificate
2461
pubkey = gnutls.pubkey_t()
2462
gnutls.pubkey_init(ctypes.byref(pubkey))
2463
# Import the raw public key into the certificate
2464
gnutls.pubkey_import(pubkey,
2465
ctypes.byref(datum),
2466
gnutls.X509_FMT_DER)
2467
# New buffer for the key ID
2468
buf = ctypes.create_string_buffer(32)
2469
buf_len = ctypes.c_size_t(len(buf))
2470
# Get the key ID from the raw public key into the buffer
2471
gnutls.pubkey_get_key_id(pubkey,
2472
gnutls.KEYID_USE_SHA256,
2473
ctypes.cast(ctypes.byref(buf),
2474
ctypes.POINTER(ctypes.c_ubyte)),
2475
ctypes.byref(buf_len))
2476
# Deinit the certificate
2477
gnutls.pubkey_deinit(pubkey)
2478
2479
# Convert the buffer to a Python bytestring
2480
key_id = ctypes.string_at(buf, buf_len.value)
2481
# Convert the bytestring to hexadecimal notation
2482
hex_key_id = binascii.hexlify(key_id).upper()
2483
return hex_key_id
2484
2311
2485
2312
@staticmethod
2486
2313
def fingerprint(openpgp):
2487
2314
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2502
2329
ctypes.byref(crtverify))
2503
2330
if crtverify.value != 0:
2504
2331
gnutls.openpgp_crt_deinit(crt)
2505
raise gnutls.CertificateSecurityError(code
2506
=crtverify.value)
2332
raise gnutls.CertificateSecurityError("Verify failed")
2507
2333
# New buffer for the fingerprint
2508
2334
buf = ctypes.create_string_buffer(20)
2509
2335
buf_len = ctypes.c_size_t()
2519
2345
return hex_fpr
2520
2346
2521
2347
2522
class MultiprocessingMixIn:
2348
class MultiprocessingMixIn(object):
2523
2349
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2524
2350
2525
2351
def sub_process_main(self, request, address):
2526
2352
try:
2527
2353
self.finish_request(request, address)
2528
2354
except Exception:
2529
2355
self.handle_error(request, address)
2530
2356
self.close_request(request)
2531
2357
2532
2358
def process_request(self, request, address):
2533
2359
"""Start a new process to process the request."""
2534
proc = multiprocessing.Process(target=self.sub_process_main,
2535
args=(request, address))
2360
proc = multiprocessing.Process(target = self.sub_process_main,
2361
args = (request, address))
2536
2362
proc.start()
2537
2363
return proc
2538
2364
2539
2365
2540
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2366
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2541
2367
""" adds a pipe to the MixIn """
2542
2368
2543
2369
def process_request(self, request, client_address):
2544
2370
"""Overrides and wraps the original process_request().
2545
2371
2546
2372
This function creates a new pipe in self.pipe
2547
2373
"""
2548
2374
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2549
2375
2550
2376
proc = MultiprocessingMixIn.process_request(self, request,
2551
2377
client_address)
2552
2378
self.child_pipe.close()
2553
2379
self.add_pipe(parent_pipe, proc)
2554
2380
2555
2381
def add_pipe(self, parent_pipe, proc):
2556
2382
"""Dummy function; override as necessary"""
2557
2383
raise NotImplementedError()
2558
2384
2559
2385
2560
2386
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2561
socketserver.TCPServer):
2387
socketserver.TCPServer, object):
2562
2388
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2563
2389
2564
2390
Attributes:
2565
2391
enabled: Boolean; whether this server is activated yet
2566
2392
interface: None or a network interface name (string)
2567
2393
use_ipv6: Boolean; to use IPv6 or not
2568
2394
"""
2569
2395
2570
2396
def __init__(self, server_address, RequestHandlerClass,
2571
2397
interface=None,
2572
2398
use_ipv6=True,
2582
2408
self.socketfd = socketfd
2583
2409
# Save the original socket.socket() function
2584
2410
self.socket_socket = socket.socket
2585
2586
2411
# To implement --socket, we monkey patch socket.socket.
2587
#
2412
#
2588
2413
# (When socketserver.TCPServer is a new-style class, we
2589
2414
# could make self.socket into a property instead of monkey
2590
2415
# patching socket.socket.)
2591
#
2416
#
2592
2417
# Create a one-time-only replacement for socket.socket()
2593
2418
@functools.wraps(socket.socket)
2594
2419
def socket_wrapper(*args, **kwargs):
2606
2431
# socket_wrapper(), if socketfd was set.
2607
2432
socketserver.TCPServer.__init__(self, server_address,
2608
2433
RequestHandlerClass)
2609
2434
2610
2435
def server_bind(self):
2611
2436
"""This overrides the normal server_bind() function
2612
2437
to bind to an interface if one was specified, and also NOT to
2613
2438
bind to an address or port if they were not specified."""
2614
global SO_BINDTODEVICE
2615
2439
if self.interface is not None:
2616
2440
if SO_BINDTODEVICE is None:
2617
# Fall back to a hard-coded value which seems to be
2618
# common enough.
2619
logger.warning("SO_BINDTODEVICE not found, trying 25")
2620
SO_BINDTODEVICE = 25
2621
try:
2622
self.socket.setsockopt(
2623
socket.SOL_SOCKET, SO_BINDTODEVICE,
2624
(self.interface + "\0").encode("utf-8"))
2625
except socket.error as error:
2626
if error.errno == errno.EPERM:
2627
logger.error("No permission to bind to"
2628
" interface %s", self.interface)
2629
elif error.errno == errno.ENOPROTOOPT:
2630
logger.error("SO_BINDTODEVICE not available;"
2631
" cannot bind to interface %s",
2632
self.interface)
2633
elif error.errno == errno.ENODEV:
2634
logger.error("Interface %s does not exist,"
2635
" cannot bind", self.interface)
2636
else:
2637
raise
2441
logger.error("SO_BINDTODEVICE does not exist;"
2442
" cannot bind to interface %s",
2443
self.interface)
2444
else:
2445
try:
2446
self.socket.setsockopt(
2447
socket.SOL_SOCKET, SO_BINDTODEVICE,
2448
(self.interface + "\0").encode("utf-8"))
2449
except socket.error as error:
2450
if error.errno == errno.EPERM:
2451
logger.error("No permission to bind to"
2452
" interface %s", self.interface)
2453
elif error.errno == errno.ENOPROTOOPT:
2454
logger.error("SO_BINDTODEVICE not available;"
2455
" cannot bind to interface %s",
2456
self.interface)
2457
elif error.errno == errno.ENODEV:
2458
logger.error("Interface %s does not exist,"
2459
" cannot bind", self.interface)
2460
else:
2461
raise
2638
2462
# Only bind(2) the socket if we really need to.
2639
2463
if self.server_address[0] or self.server_address[1]:
2640
if self.server_address[1]:
2641
self.allow_reuse_address = True
2642
2464
if not self.server_address[0]:
2643
2465
if self.address_family == socket.AF_INET6:
2644
any_address = "::" # in6addr_any
2466
any_address = "::" # in6addr_any
2645
2467
else:
2646
any_address = "0.0.0.0" # INADDR_ANY
2468
any_address = "0.0.0.0" # INADDR_ANY
2647
2469
self.server_address = (any_address,
2648
2470
self.server_address[1])
2649
2471
elif not self.server_address[1]:
2659
2481
2660
2482
class MandosServer(IPv6_TCPServer):
2661
2483
"""Mandos server.
2662
2484
2663
2485
Attributes:
2664
2486
clients: set of Client objects
2665
2487
gnutls_priority GnuTLS priority string
2666
2488
use_dbus: Boolean; to emit D-Bus signals or not
2667
2668
Assumes a GLib.MainLoop event loop.
2489
2490
Assumes a GObject.MainLoop event loop.
2669
2491
"""
2670
2492
2671
2493
def __init__(self, server_address, RequestHandlerClass,
2672
2494
interface=None,
2673
2495
use_ipv6=True,
2683
2505
self.gnutls_priority = gnutls_priority
2684
2506
IPv6_TCPServer.__init__(self, server_address,
2685
2507
RequestHandlerClass,
2686
interface=interface,
2687
use_ipv6=use_ipv6,
2688
socketfd=socketfd)
2689
2508
interface = interface,
2509
use_ipv6 = use_ipv6,
2510
socketfd = socketfd)
2511
2690
2512
def server_activate(self):
2691
2513
if self.enabled:
2692
2514
return socketserver.TCPServer.server_activate(self)
2693
2515
2694
2516
def enable(self):
2695
2517
self.enabled = True
2696
2518
2697
2519
def add_pipe(self, parent_pipe, proc):
2698
2520
# Call "handle_ipc" for both data and EOF events
2699
GLib.io_add_watch(
2700
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2701
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2521
GObject.io_add_watch(
2522
parent_pipe.fileno(),
2523
GObject.IO_IN | GObject.IO_HUP,
2702
2524
functools.partial(self.handle_ipc,
2703
parent_pipe=parent_pipe,
2704
proc=proc))
2705
2525
parent_pipe = parent_pipe,
2526
proc = proc))
2527
2706
2528
def handle_ipc(self, source, condition,
2707
2529
parent_pipe=None,
2708
proc=None,
2530
proc = None,
2709
2531
client_object=None):
2710
2532
# error, or the other end of multiprocessing.Pipe has closed
2711
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2533
if condition & (GObject.IO_ERR | GObject.IO_HUP):
2712
2534
# Wait for other process to exit
2713
2535
proc.join()
2714
2536
return False
2715
2537
2716
2538
# Read a request from the child
2717
2539
request = parent_pipe.recv()
2718
2540
command = request[0]
2719
2541
2720
2542
if command == 'init':
2721
key_id = request[1].decode("ascii")
2722
fpr = request[2].decode("ascii")
2723
address = request[3]
2724
2543
fpr = request[1]
2544
address = request[2]
2545
2725
2546
for c in self.clients.values():
2726
if key_id == "E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855":
2727
continue
2728
if key_id and c.key_id == key_id:
2729
client = c
2730
break
2731
if fpr and c.fingerprint == fpr:
2547
if c.fingerprint == fpr:
2732
2548
client = c
2733
2549
break
2734
2550
else:
2735
logger.info("Client not found for key ID: %s, address"
2736
": %s", key_id or fpr, address)
2551
logger.info("Client not found for fingerprint: %s, ad"
2552
"dress: %s", fpr, address)
2737
2553
if self.use_dbus:
2738
2554
# Emit D-Bus signal
2739
mandos_dbus_service.ClientNotFound(key_id or fpr,
2555
mandos_dbus_service.ClientNotFound(fpr,
2740
2556
address[0])
2741
2557
parent_pipe.send(False)
2742
2558
return False
2743
2744
GLib.io_add_watch(
2745
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2746
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2559
2560
GObject.io_add_watch(
2561
parent_pipe.fileno(),
2562
GObject.IO_IN | GObject.IO_HUP,
2747
2563
functools.partial(self.handle_ipc,
2748
parent_pipe=parent_pipe,
2749
proc=proc,
2750
client_object=client))
2564
parent_pipe = parent_pipe,
2565
proc = proc,
2566
client_object = client))
2751
2567
parent_pipe.send(True)
2752
2568
# remove the old hook in favor of the new above hook on
2753
2569
# same fileno
2756
2572
funcname = request[1]
2757
2573
args = request[2]
2758
2574
kwargs = request[3]
2759
2575
2760
2576
parent_pipe.send(('data', getattr(client_object,
2761
2577
funcname)(*args,
2762
2578
**kwargs)))
2763
2579
2764
2580
if command == 'getattr':
2765
2581
attrname = request[1]
2766
2582
if isinstance(client_object.__getattribute__(attrname),
2767
collections.abc.Callable):
2583
collections.Callable):
2768
2584
parent_pipe.send(('function', ))
2769
2585
else:
2770
2586
parent_pipe.send((
2771
2587
'data', client_object.__getattribute__(attrname)))
2772
2588
2773
2589
if command == 'setattr':
2774
2590
attrname = request[1]
2775
2591
value = request[2]
2776
2592
setattr(client_object, attrname, value)
2777
2593
2778
2594
return True
2779
2595
2780
2596
2781
2597
def rfc3339_duration_to_delta(duration):
2782
2598
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2783
2784
>>> rfc3339_duration_to_delta("P7D") == datetime.timedelta(7)
2785
True
2786
>>> rfc3339_duration_to_delta("PT60S") == datetime.timedelta(0, 60)
2787
True
2788
>>> rfc3339_duration_to_delta("PT60M") == datetime.timedelta(0, 3600)
2789
True
2790
>>> rfc3339_duration_to_delta("PT24H") == datetime.timedelta(1)
2791
True
2792
>>> rfc3339_duration_to_delta("P1W") == datetime.timedelta(7)
2793
True
2794
>>> rfc3339_duration_to_delta("PT5M30S") == datetime.timedelta(0, 330)
2795
True
2796
>>> rfc3339_duration_to_delta("P1DT3M20S") == datetime.timedelta(1, 200)
2797
True
2599
2600
>>> rfc3339_duration_to_delta("P7D")
2601
datetime.timedelta(7)
2602
>>> rfc3339_duration_to_delta("PT60S")
2603
datetime.timedelta(0, 60)
2604
>>> rfc3339_duration_to_delta("PT60M")
2605
datetime.timedelta(0, 3600)
2606
>>> rfc3339_duration_to_delta("PT24H")
2607
datetime.timedelta(1)
2608
>>> rfc3339_duration_to_delta("P1W")
2609
datetime.timedelta(7)
2610
>>> rfc3339_duration_to_delta("PT5M30S")
2611
datetime.timedelta(0, 330)
2612
>>> rfc3339_duration_to_delta("P1DT3M20S")
2613
datetime.timedelta(1, 200)
2798
2614
"""
2799
2615
2800
2616
# Parsing an RFC 3339 duration with regular expressions is not
2801
2617
# possible - there would have to be multiple places for the same
2802
2618
# values, like seconds. The current code, while more esoteric, is
2803
2619
# cleaner without depending on a parsing library. If Python had a
2804
2620
# built-in library for parsing we would use it, but we'd like to
2805
2621
# avoid excessive use of external libraries.
2806
2622
2807
2623
# New type for defining tokens, syntax, and semantics all-in-one
2808
2624
Token = collections.namedtuple("Token", (
2809
2625
"regexp", # To match token; if "value" is not None, must have
2842
2658
frozenset((token_year, token_month,
2843
2659
token_day, token_time,
2844
2660
token_week)))
2845
# Define starting values:
2846
# Value so far
2847
value = datetime.timedelta()
2661
# Define starting values
2662
value = datetime.timedelta() # Value so far
2848
2663
found_token = None
2849
# Following valid tokens
2850
followers = frozenset((token_duration, ))
2851
# String left to parse
2852
s = duration
2664
followers = frozenset((token_duration, )) # Following valid tokens
2665
s = duration # String left to parse
2853
2666
# Loop until end token is found
2854
2667
while found_token is not token_end:
2855
2668
# Search for any currently valid tokens
2879
2692
2880
2693
def string_to_delta(interval):
2881
2694
"""Parse a string and return a datetime.timedelta
2882
2883
>>> string_to_delta('7d') == datetime.timedelta(7)
2884
True
2885
>>> string_to_delta('60s') == datetime.timedelta(0, 60)
2886
True
2887
>>> string_to_delta('60m') == datetime.timedelta(0, 3600)
2888
True
2889
>>> string_to_delta('24h') == datetime.timedelta(1)
2890
True
2891
>>> string_to_delta('1w') == datetime.timedelta(7)
2892
True
2893
>>> string_to_delta('5m 30s') == datetime.timedelta(0, 330)
2894
True
2695
2696
>>> string_to_delta('7d')
2697
datetime.timedelta(7)
2698
>>> string_to_delta('60s')
2699
datetime.timedelta(0, 60)
2700
>>> string_to_delta('60m')
2701
datetime.timedelta(0, 3600)
2702
>>> string_to_delta('24h')
2703
datetime.timedelta(1)
2704
>>> string_to_delta('1w')
2705
datetime.timedelta(7)
2706
>>> string_to_delta('5m 30s')
2707
datetime.timedelta(0, 330)
2895
2708
"""
2896
2709
2897
2710
try:
2898
2711
return rfc3339_duration_to_delta(interval)
2899
2712
except ValueError:
2900
2713
pass
2901
2714
2902
2715
timevalue = datetime.timedelta(0)
2903
2716
for s in interval.split():
2904
2717
try:
2922
2735
return timevalue
2923
2736
2924
2737
2925
def daemon(nochdir=False, noclose=False):
2738
def daemon(nochdir = False, noclose = False):
2926
2739
"""See daemon(3). Standard BSD Unix function.
2927
2740
2928
2741
This should really exist as os.daemon, but it doesn't (yet)."""
2929
2742
if os.fork():
2930
2743
sys.exit()
2948
2761
2949
2762
2950
2763
def main():
2951
2764
2952
2765
##################################################################
2953
2766
# Parsing of options, both command line and config file
2954
2767
2955
2768
parser = argparse.ArgumentParser()
2956
2769
parser.add_argument("-v", "--version", action="version",
2957
version="%(prog)s {}".format(version),
2770
version = "%(prog)s {}".format(version),
2958
2771
help="show version number and exit")
2959
2772
parser.add_argument("-i", "--interface", metavar="IF",
2960
2773
help="Bind to interface IF")
2996
2809
parser.add_argument("--no-zeroconf", action="store_false",
2997
2810
dest="zeroconf", help="Do not use Zeroconf",
2998
2811
default=None)
2999
2812
3000
2813
options = parser.parse_args()
3001
2814
2815
if options.check:
2816
import doctest
2817
fail_count, test_count = doctest.testmod()
2818
sys.exit(os.EX_OK if fail_count == 0 else 1)
2819
3002
2820
# Default values for config file for server-global settings
3003
if gnutls.has_rawpk:
3004
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3005
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3006
else:
3007
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3008
":+SIGN-DSA-SHA256")
3009
server_defaults = {"interface": "",
3010
"address": "",
3011
"port": "",
3012
"debug": "False",
3013
"priority": priority,
3014
"servicename": "Mandos",
3015
"use_dbus": "True",
3016
"use_ipv6": "True",
3017
"debuglevel": "",
3018
"restore": "True",
3019
"socket": "",
3020
"statedir": "/var/lib/mandos",
3021
"foreground": "False",
3022
"zeroconf": "True",
3023
}
3024
del priority
3025
2821
server_defaults = { "interface": "",
2822
"address": "",
2823
"port": "",
2824
"debug": "False",
2825
"priority":
2826
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2827
":+SIGN-DSA-SHA256",
2828
"servicename": "Mandos",
2829
"use_dbus": "True",
2830
"use_ipv6": "True",
2831
"debuglevel": "",
2832
"restore": "True",
2833
"socket": "",
2834
"statedir": "/var/lib/mandos",
2835
"foreground": "False",
2836
"zeroconf": "True",
2837
}
2838
3026
2839
# Parse config file for server-global settings
3027
server_config = configparser.ConfigParser(server_defaults)
2840
server_config = configparser.SafeConfigParser(server_defaults)
3028
2841
del server_defaults
3029
2842
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3030
# Convert the ConfigParser object to a dict
2843
# Convert the SafeConfigParser object to a dict
3031
2844
server_settings = server_config.defaults()
3032
2845
# Use the appropriate methods on the non-string config options
3033
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3034
"foreground", "zeroconf"):
2846
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3035
2847
server_settings[option] = server_config.getboolean("DEFAULT",
3036
2848
option)
3037
2849
if server_settings["port"]:
3047
2859
server_settings["socket"] = os.dup(server_settings
3048
2860
["socket"])
3049
2861
del server_config
3050
2862
3051
2863
# Override the settings from the config file with command line
3052
2864
# options, if set.
3053
2865
for option in ("interface", "address", "port", "debug",
3071
2883
if server_settings["debug"]:
3072
2884
server_settings["foreground"] = True
3073
2885
# Now we have our good server settings in "server_settings"
3074
2886
3075
2887
##################################################################
3076
2888
3077
2889
if (not server_settings["zeroconf"]
3078
2890
and not (server_settings["port"]
3079
2891
or server_settings["socket"] != "")):
3080
2892
parser.error("Needs port or socket to work without Zeroconf")
3081
2893
3082
2894
# For convenience
3083
2895
debug = server_settings["debug"]
3084
2896
debuglevel = server_settings["debuglevel"]
3088
2900
stored_state_file)
3089
2901
foreground = server_settings["foreground"]
3090
2902
zeroconf = server_settings["zeroconf"]
3091
2903
3092
2904
if debug:
3093
2905
initlogger(debug, logging.DEBUG)
3094
2906
else:
3097
2909
else:
3098
2910
level = getattr(logging, debuglevel.upper())
3099
2911
initlogger(debug, level)
3100
2912
3101
2913
if server_settings["servicename"] != "Mandos":
3102
2914
syslogger.setFormatter(
3103
2915
logging.Formatter('Mandos ({}) [%(process)d]:'
3104
2916
' %(levelname)s: %(message)s'.format(
3105
2917
server_settings["servicename"])))
3106
2918
3107
2919
# Parse config file with clients
3108
client_config = configparser.ConfigParser(Client.client_defaults)
2920
client_config = configparser.SafeConfigParser(Client
2921
.client_defaults)
3109
2922
client_config.read(os.path.join(server_settings["configdir"],
3110
2923
"clients.conf"))
3111
2924
3112
2925
global mandos_dbus_service
3113
2926
mandos_dbus_service = None
3114
2927
3115
2928
socketfd = None
3116
2929
if server_settings["socket"] != "":
3117
2930
socketfd = server_settings["socket"]
3133
2946
except IOError as e:
3134
2947
logger.error("Could not open file %r", pidfilename,
3135
2948
exc_info=e)
3136
2949
3137
2950
for name, group in (("_mandos", "_mandos"),
3138
2951
("mandos", "mandos"),
3139
2952
("nobody", "nogroup")):
3157
2970
.format(uid, gid, os.strerror(error.errno)))
3158
2971
if error.errno != errno.EPERM:
3159
2972
raise
3160
2973
3161
2974
if debug:
3162
2975
# Enable all possible GnuTLS debugging
3163
2976
3164
2977
# "Use a log level over 10 to enable all debugging options."
3165
2978
# - GnuTLS manual
3166
2979
gnutls.global_set_log_level(11)
3167
2980
3168
2981
@gnutls.log_func
3169
2982
def debug_gnutls(level, string):
3170
2983
logger.debug("GnuTLS: %s", string[:-1])
3171
2984
3172
2985
gnutls.global_set_log_function(debug_gnutls)
3173
2986
3174
2987
# Redirect stdin so all checkers get /dev/null
3175
2988
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3176
2989
os.dup2(null, sys.stdin.fileno())
3177
2990
if null > 2:
3178
2991
os.close(null)
3179
2992
3180
2993
# Need to fork before connecting to D-Bus
3181
2994
if not foreground:
3182
2995
# Close all input and output, do double fork, etc.
3183
2996
daemon()
3184
3185
if gi.version_info < (3, 10, 2):
3186
# multiprocessing will use threads, so before we use GLib we
3187
# need to inform GLib that threads will be used.
3188
GLib.threads_init()
3189
2997
2998
# multiprocessing will use threads, so before we use GObject we
2999
# need to inform GObject that threads will be used.
3000
GObject.threads_init()
3001
3190
3002
global main_loop
3191
3003
# From the Avahi example code
3192
3004
DBusGMainLoop(set_as_default=True)
3193
main_loop = GLib.MainLoop()
3005
main_loop = GObject.MainLoop()
3194
3006
bus = dbus.SystemBus()
3195
3007
# End of Avahi example code
3196
3008
if use_dbus:
3209
3021
if zeroconf:
3210
3022
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3211
3023
service = AvahiServiceToSyslog(
3212
name=server_settings["servicename"],
3213
servicetype="_mandos._tcp",
3214
protocol=protocol,
3215
bus=bus)
3024
name = server_settings["servicename"],
3025
servicetype = "_mandos._tcp",
3026
protocol = protocol,
3027
bus = bus)
3216
3028
if server_settings["interface"]:
3217
3029
service.interface = if_nametoindex(
3218
3030
server_settings["interface"].encode("utf-8"))
3219
3031
3220
3032
global multiprocessing_manager
3221
3033
multiprocessing_manager = multiprocessing.Manager()
3222
3034
3223
3035
client_class = Client
3224
3036
if use_dbus:
3225
client_class = functools.partial(ClientDBus, bus=bus)
3226
3037
client_class = functools.partial(ClientDBus, bus = bus)
3038
3227
3039
client_settings = Client.config_parser(client_config)
3228
3040
old_client_settings = {}
3229
3041
clients_data = {}
3230
3042
3231
3043
# This is used to redirect stdout and stderr for checker processes
3232
3044
global wnull
3233
wnull = open(os.devnull, "w") # A writable /dev/null
3045
wnull = open(os.devnull, "w") # A writable /dev/null
3234
3046
# Only used if server is running in foreground but not in debug
3235
3047
# mode
3236
3048
if debug or not foreground:
3237
3049
wnull.close()
3238
3050
3239
3051
# Get client data and settings from last running state.
3240
3052
if server_settings["restore"]:
3241
3053
try:
3242
3054
with open(stored_state_path, "rb") as stored_state:
3243
if sys.version_info.major == 2:
3055
if sys.version_info.major == 2:
3244
3056
clients_data, old_client_settings = pickle.load(
3245
3057
stored_state)
3246
3058
else:
3247
3059
bytes_clients_data, bytes_old_client_settings = (
3248
pickle.load(stored_state, encoding="bytes"))
3249
# Fix bytes to strings
3250
# clients_data
3060
pickle.load(stored_state, encoding = "bytes"))
3061
### Fix bytes to strings
3062
## clients_data
3251
3063
# .keys()
3252
clients_data = {(key.decode("utf-8")
3253
if isinstance(key, bytes)
3254
else key): value
3255
for key, value in
3256
bytes_clients_data.items()}
3257
del bytes_clients_data
3064
clients_data = { (key.decode("utf-8")
3065
if isinstance(key, bytes)
3066
else key): value
3067
for key, value in
3068
bytes_clients_data.items() }
3258
3069
for key in clients_data:
3259
value = {(k.decode("utf-8")
3260
if isinstance(k, bytes) else k): v
3261
for k, v in
3262
clients_data[key].items()}
3070
value = { (k.decode("utf-8")
3071
if isinstance(k, bytes) else k): v
3072
for k, v in
3073
clients_data[key].items() }
3263
3074
clients_data[key] = value
3264
3075
# .client_structure
3265
3076
value["client_structure"] = [
3266
3077
(s.decode("utf-8")
3267
3078
if isinstance(s, bytes)
3268
3079
else s) for s in
3269
value["client_structure"]]
3270
# .name, .host, and .checker_command
3271
for k in ("name", "host", "checker_command"):
3080
value["client_structure"] ]
3081
# .name & .host
3082
for k in ("name", "host"):
3272
3083
if isinstance(value[k], bytes):
3273
3084
value[k] = value[k].decode("utf-8")
3274
if "key_id" not in value:
3275
value["key_id"] = ""
3276
elif "fingerprint" not in value:
3277
value["fingerprint"] = ""
3278
# old_client_settings
3279
# .keys()
3085
## old_client_settings
3086
# .keys
3280
3087
old_client_settings = {
3281
3088
(key.decode("utf-8")
3282
3089
if isinstance(key, bytes)
3283
3090
else key): value
3284
3091
for key, value in
3285
bytes_old_client_settings.items()}
3286
del bytes_old_client_settings
3287
# .host and .checker_command
3092
bytes_old_client_settings.items() }
3093
# .host
3288
3094
for value in old_client_settings.values():
3289
for attribute in ("host", "checker_command"):
3290
if isinstance(value[attribute], bytes):
3291
value[attribute] = (value[attribute]
3292
.decode("utf-8"))
3095
value["host"] = value["host"].decode("utf-8")
3293
3096
os.remove(stored_state_path)
3294
3097
except IOError as e:
3295
3098
if e.errno == errno.ENOENT:
3303
3106
logger.warning("Could not load persistent state: "
3304
3107
"EOFError:",
3305
3108
exc_info=e)
3306
3109
3307
3110
with PGPEngine() as pgp:
3308
3111
for client_name, client in clients_data.items():
3309
3112
# Skip removed clients
3310
3113
if client_name not in client_settings:
3311
3114
continue
3312
3115
3313
3116
# Decide which value to use after restoring saved state.
3314
3117
# We have three different values: Old config file,
3315
3118
# new config file, and saved state.
3326
3129
client[name] = value
3327
3130
except KeyError:
3328
3131
pass
3329
3132
3330
3133
# Clients who has passed its expire date can still be
3331
3134
# enabled if its last checker was successful. A Client
3332
3135
# whose checker succeeded before we stored its state is
3365
3168
client_name))
3366
3169
client["secret"] = (client_settings[client_name]
3367
3170
["secret"])
3368
3171
3369
3172
# Add/remove clients based on new changes made to config
3370
3173
for client_name in (set(old_client_settings)
3371
3174
- set(client_settings)):
3373
3176
for client_name in (set(client_settings)
3374
3177
- set(old_client_settings)):
3375
3178
clients_data[client_name] = client_settings[client_name]
3376
3179
3377
3180
# Create all client objects
3378
3181
for client_name, client in clients_data.items():
3379
3182
tcp_server.clients[client_name] = client_class(
3380
name=client_name,
3381
settings=client,
3382
server_settings=server_settings)
3383
3183
name = client_name,
3184
settings = client,
3185
server_settings = server_settings)
3186
3384
3187
if not tcp_server.clients:
3385
3188
logger.warning("No clients defined")
3386
3189
3387
3190
if not foreground:
3388
3191
if pidfile is not None:
3389
3192
pid = os.getpid()
3395
3198
pidfilename, pid)
3396
3199
del pidfile
3397
3200
del pidfilename
3398
3399
for termsig in (signal.SIGHUP, signal.SIGTERM):
3400
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3401
lambda: main_loop.quit() and False)
3402
3201
3202
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
3203
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
3204
3403
3205
if use_dbus:
3404
3206
3405
3207
@alternate_dbus_interfaces(
3406
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3208
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3407
3209
class MandosDBusService(DBusObjectWithObjectManager):
3408
3210
"""A D-Bus proxy object"""
3409
3211
3410
3212
def __init__(self):
3411
3213
dbus.service.Object.__init__(self, bus, "/")
3412
3214
3413
3215
_interface = "se.recompile.Mandos"
3414
3216
3415
3217
@dbus.service.signal(_interface, signature="o")
3416
3218
def ClientAdded(self, objpath):
3417
3219
"D-Bus signal"
3418
3220
pass
3419
3221
3420
3222
@dbus.service.signal(_interface, signature="ss")
3421
def ClientNotFound(self, key_id, address):
3223
def ClientNotFound(self, fingerprint, address):
3422
3224
"D-Bus signal"
3423
3225
pass
3424
3226
3425
3227
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3426
3228
"true"})
3427
3229
@dbus.service.signal(_interface, signature="os")
3428
3230
def ClientRemoved(self, objpath, name):
3429
3231
"D-Bus signal"
3430
3232
pass
3431
3233
3432
3234
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3433
3235
"true"})
3434
3236
@dbus.service.method(_interface, out_signature="ao")
3436
3238
"D-Bus method"
3437
3239
return dbus.Array(c.dbus_object_path for c in
3438
3240
tcp_server.clients.values())
3439
3241
3440
3242
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3441
3243
"true"})
3442
3244
@dbus.service.method(_interface,
3444
3246
def GetAllClientsWithProperties(self):
3445
3247
"D-Bus method"
3446
3248
return dbus.Dictionary(
3447
{c.dbus_object_path: c.GetAll(
3249
{ c.dbus_object_path: c.GetAll(
3448
3250
"se.recompile.Mandos.Client")
3449
for c in tcp_server.clients.values()},
3251
for c in tcp_server.clients.values() },
3450
3252
signature="oa{sv}")
3451
3253
3452
3254
@dbus.service.method(_interface, in_signature="o")
3453
3255
def RemoveClient(self, object_path):
3454
3256
"D-Bus method"
3462
3264
self.client_removed_signal(c)
3463
3265
return
3464
3266
raise KeyError(object_path)
3465
3267
3466
3268
del _interface
3467
3269
3468
3270
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3469
out_signature="a{oa{sa{sv}}}")
3271
out_signature = "a{oa{sa{sv}}}")
3470
3272
def GetManagedObjects(self):
3471
3273
"""D-Bus method"""
3472
3274
return dbus.Dictionary(
3473
{client.dbus_object_path:
3474
dbus.Dictionary(
3475
{interface: client.GetAll(interface)
3476
for interface in
3477
client._get_all_interface_names()})
3478
for client in tcp_server.clients.values()})
3479
3275
{ client.dbus_object_path:
3276
dbus.Dictionary(
3277
{ interface: client.GetAll(interface)
3278
for interface in
3279
client._get_all_interface_names()})
3280
for client in tcp_server.clients.values()})
3281
3480
3282
def client_added_signal(self, client):
3481
3283
"""Send the new standard signal and the old signal"""
3482
3284
if use_dbus:
3484
3286
self.InterfacesAdded(
3485
3287
client.dbus_object_path,
3486
3288
dbus.Dictionary(
3487
{interface: client.GetAll(interface)
3488
for interface in
3489
client._get_all_interface_names()}))
3289
{ interface: client.GetAll(interface)
3290
for interface in
3291
client._get_all_interface_names()}))
3490
3292
# Old signal
3491
3293
self.ClientAdded(client.dbus_object_path)
3492
3294
3493
3295
def client_removed_signal(self, client):
3494
3296
"""Send the new standard signal and the old signal"""
3495
3297
if use_dbus:
3500
3302
# Old signal
3501
3303
self.ClientRemoved(client.dbus_object_path,
3502
3304
client.name)
3503
3305
3504
3306
mandos_dbus_service = MandosDBusService()
3505
3506
# Save modules to variables to exempt the modules from being
3507
# unloaded before the function registered with atexit() is run.
3508
mp = multiprocessing
3509
wn = wnull
3510
3307
3511
3308
def cleanup():
3512
3309
"Cleanup function; run on exit"
3513
3310
if zeroconf:
3514
3311
service.cleanup()
3515
3516
mp.active_children()
3517
wn.close()
3312
3313
multiprocessing.active_children()
3314
wnull.close()
3518
3315
if not (tcp_server.clients or client_settings):
3519
3316
return
3520
3317
3521
3318
# Store client before exiting. Secrets are encrypted with key
3522
3319
# based on what config file has. If config file is
3523
3320
# removed/edited, old secret will thus be unrecovable.
3528
3325
client.encrypted_secret = pgp.encrypt(client.secret,
3529
3326
key)
3530
3327
client_dict = {}
3531
3328
3532
3329
# A list of attributes that can not be pickled
3533
3330
# + secret.
3534
exclude = {"bus", "changedstate", "secret",
3535
"checker", "server_settings"}
3331
exclude = { "bus", "changedstate", "secret",
3332
"checker", "server_settings" }
3536
3333
for name, typ in inspect.getmembers(dbus.service
3537
3334
.Object):
3538
3335
exclude.add(name)
3539
3336
3540
3337
client_dict["encrypted_secret"] = (client
3541
3338
.encrypted_secret)
3542
3339
for attr in client.client_structure:
3543
3340
if attr not in exclude:
3544
3341
client_dict[attr] = getattr(client, attr)
3545
3342
3546
3343
clients[client.name] = client_dict
3547
3344
del client_settings[client.name]["secret"]
3548
3345
3549
3346
try:
3550
3347
with tempfile.NamedTemporaryFile(
3551
3348
mode='wb',
3554
3351
dir=os.path.dirname(stored_state_path),
3555
3352
delete=False) as stored_state:
3556
3353
pickle.dump((clients, client_settings), stored_state,
3557
protocol=2)
3354
protocol = 2)
3558
3355
tempname = stored_state.name
3559
3356
os.rename(tempname, stored_state_path)
3560
3357
except (IOError, OSError) as e:
3570
3367
logger.warning("Could not save persistent state:",
3571
3368
exc_info=e)
3572
3369
raise
3573
3370
3574
3371
# Delete all clients, and settings from config
3575
3372
while tcp_server.clients:
3576
3373
name, client = tcp_server.clients.popitem()
3582
3379
if use_dbus:
3583
3380
mandos_dbus_service.client_removed_signal(client)
3584
3381
client_settings.clear()
3585
3382
3586
3383
atexit.register(cleanup)
3587
3384
3588
3385
for client in tcp_server.clients.values():
3589
3386
if use_dbus:
3590
3387
# Emit D-Bus signal for adding
3592
3389
# Need to initiate checking of clients
3593
3390
if client.enabled:
3594
3391
client.init_checker()
3595
3392
3596
3393
tcp_server.enable()
3597
3394
tcp_server.server_activate()
3598
3395
3599
3396
# Find out what port we got
3600
3397
if zeroconf:
3601
3398
service.port = tcp_server.socket.getsockname()[1]
3606
3403
else: # IPv4
3607
3404
logger.info("Now listening on address %r, port %d",
3608
3405
*tcp_server.socket.getsockname())
3609
3610
# service.interface = tcp_server.socket.getsockname()[3]
3611
3406
3407
#service.interface = tcp_server.socket.getsockname()[3]
3408
3612
3409
try:
3613
3410
if zeroconf:
3614
3411
# From the Avahi example code
3619
3416
cleanup()
3620
3417
sys.exit(1)
3621
3418
# End of Avahi example code
3622
3623
GLib.io_add_watch(
3624
GLib.IOChannel.unix_new(tcp_server.fileno()),
3625
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3626
lambda *args, **kwargs: (tcp_server.handle_request
3627
(*args[2:], **kwargs) or True))
3628
3419
3420
GObject.io_add_watch(tcp_server.fileno(), GObject.IO_IN,
3421
lambda *args, **kwargs:
3422
(tcp_server.handle_request
3423
(*args[2:], **kwargs) or True))
3424
3629
3425
logger.debug("Starting main loop")
3630
3426
main_loop.run()
3631
3427
except AvahiError as error:
3640
3436
# Must run before the D-Bus bus name gets deregistered
3641
3437
cleanup()
3642
3438
3643
3644
def should_only_run_tests():
3645
parser = argparse.ArgumentParser(add_help=False)
3646
parser.add_argument("--check", action='store_true')
3647
args, unknown_args = parser.parse_known_args()
3648
run_tests = args.check
3649
if run_tests:
3650
# Remove --check argument from sys.argv
3651
sys.argv[1:] = unknown_args
3652
return run_tests
3653
3654
# Add all tests from doctest strings
3655
def load_tests(loader, tests, none):
3656
import doctest
3657
tests.addTests(doctest.DocTestSuite())
3658
return tests
3659
3439
3660
3440
if __name__ == '__main__':
3661
try:
3662
if should_only_run_tests():
3663
# Call using ./mandos --check [--verbose]
3664
unittest.main()
3665
else:
3666
main()
3667
finally:
3668
logging.shutdown()
3441
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0