To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 829
- compare with another revision
- download diff
- download tarball
- view history from revision 829
- Committer: Teddy Hogeborn
- Date: 2016-03-12 20:23:15 UTC
- Revision ID: teddy@recompile.se-20160312202315-hu7b87ivetlxqbw3
Server: Fix minor thing with Python 3 compatibility
Fix another small thing with unpickling string values.
* mandos (main): When restoring pickled client data, only decode byte
string for "host" key if it really is a byte string.
Fix another small thing with unpickling string values.
* mandos (main): When restoring pickled client data, only decode byte
string for "host" key if it really is a byte string.
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
from future_builtins import *
37
try:
38
from future_builtins import *
39
except ImportError:
40
pass
38
41
39
42
try:
40
43
import SocketServer as socketserver
44
47
import argparse
45
48
import datetime
46
49
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
50
try:
54
51
import ConfigParser as configparser
55
52
except ImportError:
83
80
import dbus
84
81
import dbus.service
85
82
try:
86
import gobject
83
from gi.repository import GObject
87
84
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
85
import gobject as GObject
90
86
from dbus.mainloop.glib import DBusGMainLoop
91
87
import ctypes
92
88
import ctypes.util
104
100
if sys.version_info.major == 2:
105
101
str = unicode
106
102
107
version = "1.6.9"
103
version = "1.7.5"
108
104
stored_state_file = "clients.pickle"
109
105
110
106
logger = logging.getLogger()
125
121
return interface_index
126
122
127
123
124
def copy_function(func):
125
"""Make a copy of a function"""
126
if sys.version_info.major == 2:
127
return types.FunctionType(func.func_code,
128
func.func_globals,
129
func.func_name,
130
func.func_defaults,
131
func.func_closure)
132
else:
133
return types.FunctionType(func.__code__,
134
func.__globals__,
135
func.__name__,
136
func.__defaults__,
137
func.__closure__)
138
139
128
140
def initlogger(debug, level=logging.WARNING):
129
141
"""init logger and add loglevel"""
130
142
157
169
158
170
def __init__(self):
159
171
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
172
self.gpg = "gpg"
173
try:
174
output = subprocess.check_output(["gpgconf"])
175
for line in output.splitlines():
176
name, text, path = line.split(b":")
177
if name == "gpg":
178
self.gpg = path
179
break
180
except OSError as e:
181
if e.errno != errno.ENOENT:
182
raise
160
183
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
184
'--homedir', self.tempdir,
162
185
'--force-mdc',
163
186
'--quiet',
164
187
'--no-use-agent']
203
226
dir=self.tempdir) as passfile:
204
227
passfile.write(passphrase)
205
228
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
229
proc = subprocess.Popen([self.gpg, '--symmetric',
207
230
'--passphrase-file',
208
231
passfile.name]
209
232
+ self.gnupgargs,
221
244
dir = self.tempdir) as passfile:
222
245
passfile.write(passphrase)
223
246
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
247
proc = subprocess.Popen([self.gpg, '--decrypt',
225
248
'--passphrase-file',
226
249
passfile.name]
227
250
+ self.gnupgargs,
233
256
raise PGPError(err)
234
257
return decrypted_plaintext
235
258
259
# Pretend that we have an Avahi module
260
class Avahi(object):
261
"""This isn't so much a class as it is a module-like namespace.
262
It is instantiated once, and simulates having an Avahi module."""
263
IF_UNSPEC = -1 # avahi-common/address.h
264
PROTO_UNSPEC = -1 # avahi-common/address.h
265
PROTO_INET = 0 # avahi-common/address.h
266
PROTO_INET6 = 1 # avahi-common/address.h
267
DBUS_NAME = "org.freedesktop.Avahi"
268
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
269
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
270
DBUS_PATH_SERVER = "/"
271
def string_array_to_txt_array(self, t):
272
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
273
for s in t), signature="ay")
274
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
275
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
276
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
277
SERVER_INVALID = 0 # avahi-common/defs.h
278
SERVER_REGISTERING = 1 # avahi-common/defs.h
279
SERVER_RUNNING = 2 # avahi-common/defs.h
280
SERVER_COLLISION = 3 # avahi-common/defs.h
281
SERVER_FAILURE = 4 # avahi-common/defs.h
282
avahi = Avahi()
236
283
237
284
class AvahiError(Exception):
238
285
def __init__(self, value, *args, **kwargs):
435
482
.format(self.name)))
436
483
return ret
437
484
485
# Pretend that we have a GnuTLS module
486
class GnuTLS(object):
487
"""This isn't so much a class as it is a module-like namespace.
488
It is instantiated once, and simulates having a GnuTLS module."""
489
490
_library = ctypes.cdll.LoadLibrary(
491
ctypes.util.find_library("gnutls"))
492
_need_version = b"3.3.0"
493
def __init__(self):
494
# Need to use class name "GnuTLS" here, since this method is
495
# called before the assignment to the "gnutls" global variable
496
# happens.
497
if GnuTLS.check_version(self._need_version) is None:
498
raise GnuTLS.Error("Needs GnuTLS {} or later"
499
.format(self._need_version))
500
501
# Unless otherwise indicated, the constants and types below are
502
# all from the gnutls/gnutls.h C header file.
503
504
# Constants
505
E_SUCCESS = 0
506
E_INTERRUPTED = -52
507
E_AGAIN = -28
508
CRT_OPENPGP = 2
509
CLIENT = 2
510
SHUT_RDWR = 0
511
CRD_CERTIFICATE = 1
512
E_NO_CERTIFICATE_FOUND = -49
513
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
514
515
# Types
516
class session_int(ctypes.Structure):
517
_fields_ = []
518
session_t = ctypes.POINTER(session_int)
519
class certificate_credentials_st(ctypes.Structure):
520
_fields_ = []
521
certificate_credentials_t = ctypes.POINTER(
522
certificate_credentials_st)
523
certificate_type_t = ctypes.c_int
524
class datum_t(ctypes.Structure):
525
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
526
('size', ctypes.c_uint)]
527
class openpgp_crt_int(ctypes.Structure):
528
_fields_ = []
529
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
530
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
531
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
532
credentials_type_t = ctypes.c_int
533
transport_ptr_t = ctypes.c_void_p
534
close_request_t = ctypes.c_int
535
536
# Exceptions
537
class Error(Exception):
538
# We need to use the class name "GnuTLS" here, since this
539
# exception might be raised from within GnuTLS.__init__,
540
# which is called before the assignment to the "gnutls"
541
# global variable has happened.
542
def __init__(self, message = None, code = None, args=()):
543
# Default usage is by a message string, but if a return
544
# code is passed, convert it to a string with
545
# gnutls.strerror()
546
self.code = code
547
if message is None and code is not None:
548
message = GnuTLS.strerror(code)
549
return super(GnuTLS.Error, self).__init__(
550
message, *args)
551
552
class CertificateSecurityError(Error):
553
pass
554
555
# Classes
556
class Credentials(object):
557
def __init__(self):
558
self._c_object = gnutls.certificate_credentials_t()
559
gnutls.certificate_allocate_credentials(
560
ctypes.byref(self._c_object))
561
self.type = gnutls.CRD_CERTIFICATE
562
563
def __del__(self):
564
gnutls.certificate_free_credentials(self._c_object)
565
566
class ClientSession(object):
567
def __init__(self, socket, credentials = None):
568
self._c_object = gnutls.session_t()
569
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
570
gnutls.set_default_priority(self._c_object)
571
gnutls.transport_set_ptr(self._c_object, socket.fileno())
572
gnutls.handshake_set_private_extensions(self._c_object,
573
True)
574
self.socket = socket
575
if credentials is None:
576
credentials = gnutls.Credentials()
577
gnutls.credentials_set(self._c_object, credentials.type,
578
ctypes.cast(credentials._c_object,
579
ctypes.c_void_p))
580
self.credentials = credentials
581
582
def __del__(self):
583
gnutls.deinit(self._c_object)
584
585
def handshake(self):
586
return gnutls.handshake(self._c_object)
587
588
def send(self, data):
589
data = bytes(data)
590
data_len = len(data)
591
while data_len > 0:
592
data_len -= gnutls.record_send(self._c_object,
593
data[-data_len:],
594
data_len)
595
596
def bye(self):
597
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
598
599
# Error handling functions
600
def _error_code(result):
601
"""A function to raise exceptions on errors, suitable
602
for the 'restype' attribute on ctypes functions"""
603
if result >= 0:
604
return result
605
if result == gnutls.E_NO_CERTIFICATE_FOUND:
606
raise gnutls.CertificateSecurityError(code = result)
607
raise gnutls.Error(code = result)
608
609
def _retry_on_error(result, func, arguments):
610
"""A function to retry on some errors, suitable
611
for the 'errcheck' attribute on ctypes functions"""
612
while result < 0:
613
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
614
return _error_code(result)
615
result = func(*arguments)
616
return result
617
618
# Unless otherwise indicated, the function declarations below are
619
# all from the gnutls/gnutls.h C header file.
620
621
# Functions
622
priority_set_direct = _library.gnutls_priority_set_direct
623
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
624
ctypes.POINTER(ctypes.c_char_p)]
625
priority_set_direct.restype = _error_code
626
627
init = _library.gnutls_init
628
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
629
init.restype = _error_code
630
631
set_default_priority = _library.gnutls_set_default_priority
632
set_default_priority.argtypes = [session_t]
633
set_default_priority.restype = _error_code
634
635
record_send = _library.gnutls_record_send
636
record_send.argtypes = [session_t, ctypes.c_void_p,
637
ctypes.c_size_t]
638
record_send.restype = ctypes.c_ssize_t
639
record_send.errcheck = _retry_on_error
640
641
certificate_allocate_credentials = (
642
_library.gnutls_certificate_allocate_credentials)
643
certificate_allocate_credentials.argtypes = [
644
ctypes.POINTER(certificate_credentials_t)]
645
certificate_allocate_credentials.restype = _error_code
646
647
certificate_free_credentials = (
648
_library.gnutls_certificate_free_credentials)
649
certificate_free_credentials.argtypes = [certificate_credentials_t]
650
certificate_free_credentials.restype = None
651
652
handshake_set_private_extensions = (
653
_library.gnutls_handshake_set_private_extensions)
654
handshake_set_private_extensions.argtypes = [session_t,
655
ctypes.c_int]
656
handshake_set_private_extensions.restype = None
657
658
credentials_set = _library.gnutls_credentials_set
659
credentials_set.argtypes = [session_t, credentials_type_t,
660
ctypes.c_void_p]
661
credentials_set.restype = _error_code
662
663
strerror = _library.gnutls_strerror
664
strerror.argtypes = [ctypes.c_int]
665
strerror.restype = ctypes.c_char_p
666
667
certificate_type_get = _library.gnutls_certificate_type_get
668
certificate_type_get.argtypes = [session_t]
669
certificate_type_get.restype = _error_code
670
671
certificate_get_peers = _library.gnutls_certificate_get_peers
672
certificate_get_peers.argtypes = [session_t,
673
ctypes.POINTER(ctypes.c_uint)]
674
certificate_get_peers.restype = ctypes.POINTER(datum_t)
675
676
global_set_log_level = _library.gnutls_global_set_log_level
677
global_set_log_level.argtypes = [ctypes.c_int]
678
global_set_log_level.restype = None
679
680
global_set_log_function = _library.gnutls_global_set_log_function
681
global_set_log_function.argtypes = [log_func]
682
global_set_log_function.restype = None
683
684
deinit = _library.gnutls_deinit
685
deinit.argtypes = [session_t]
686
deinit.restype = None
687
688
handshake = _library.gnutls_handshake
689
handshake.argtypes = [session_t]
690
handshake.restype = _error_code
691
handshake.errcheck = _retry_on_error
692
693
transport_set_ptr = _library.gnutls_transport_set_ptr
694
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
695
transport_set_ptr.restype = None
696
697
bye = _library.gnutls_bye
698
bye.argtypes = [session_t, close_request_t]
699
bye.restype = _error_code
700
bye.errcheck = _retry_on_error
701
702
check_version = _library.gnutls_check_version
703
check_version.argtypes = [ctypes.c_char_p]
704
check_version.restype = ctypes.c_char_p
705
706
# All the function declarations below are from gnutls/openpgp.h
707
708
openpgp_crt_init = _library.gnutls_openpgp_crt_init
709
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
710
openpgp_crt_init.restype = _error_code
711
712
openpgp_crt_import = _library.gnutls_openpgp_crt_import
713
openpgp_crt_import.argtypes = [openpgp_crt_t,
714
ctypes.POINTER(datum_t),
715
openpgp_crt_fmt_t]
716
openpgp_crt_import.restype = _error_code
717
718
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
719
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
720
ctypes.POINTER(ctypes.c_uint)]
721
openpgp_crt_verify_self.restype = _error_code
722
723
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
724
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
725
openpgp_crt_deinit.restype = None
726
727
openpgp_crt_get_fingerprint = (
728
_library.gnutls_openpgp_crt_get_fingerprint)
729
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
730
ctypes.c_void_p,
731
ctypes.POINTER(
732
ctypes.c_size_t)]
733
openpgp_crt_get_fingerprint.restype = _error_code
734
735
# Remove non-public functions
736
del _error_code, _retry_on_error
737
# Create the global "gnutls" object, simulating a module
738
gnutls = GnuTLS()
739
438
740
def call_pipe(connection, # : multiprocessing.Connection
439
741
func, *args, **kwargs):
440
742
"""This function is meant to be called by multiprocessing.Process
455
757
checker: subprocess.Popen(); a running checker process used
456
758
to see if the client lives.
457
759
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
760
checker_callback_tag: a GObject event source tag, or None
459
761
checker_command: string; External command which is run to check
460
762
if client lives. %() expansions are done at
461
763
runtime with vars(self) as dict, so that for
462
764
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
765
checker_initiator_tag: a GObject event source tag, or None
464
766
created: datetime.datetime(); (UTC) object creation
465
767
client_structure: Object describing what attributes a client has
466
768
and is used for storing the client at exit
467
769
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
770
disable_initiator_tag: a GObject event source tag, or None
469
771
enabled: bool()
470
772
fingerprint: string (40 or 32 hexadecimal digits); used to
471
773
uniquely identify the client
534
836
client["fingerprint"] = (section["fingerprint"].upper()
535
837
.replace(" ", ""))
536
838
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
839
client["secret"] = codecs.decode(section["secret"]
840
.encode("utf-8"),
841
"base64")
538
842
elif "secfile" in section:
539
843
with open(os.path.expanduser(os.path.expandvars
540
844
(section["secfile"])),
593
897
self.changedstate = multiprocessing_manager.Condition(
594
898
multiprocessing_manager.Lock())
595
899
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
900
for attr in self.__dict__.keys()
597
901
if not attr.startswith("_")]
598
902
self.client_structure.append("client_structure")
599
903
625
929
if not quiet:
626
930
logger.info("Disabling client %s", self.name)
627
931
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
932
GObject.source_remove(self.disable_initiator_tag)
629
933
self.disable_initiator_tag = None
630
934
self.expires = None
631
935
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
936
GObject.source_remove(self.checker_initiator_tag)
633
937
self.checker_initiator_tag = None
634
938
self.stop_checker()
635
939
self.enabled = False
636
940
if not quiet:
637
941
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
942
# Do not run this again if called by a GObject.timeout_add
639
943
return False
640
944
641
945
def __del__(self):
645
949
# Schedule a new checker to be started an 'interval' from now,
646
950
# and every interval from then on.
647
951
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
952
GObject.source_remove(self.checker_initiator_tag)
953
self.checker_initiator_tag = GObject.timeout_add(
650
954
int(self.interval.total_seconds() * 1000),
651
955
self.start_checker)
652
956
# Schedule a disable() when 'timeout' has passed
653
957
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
958
GObject.source_remove(self.disable_initiator_tag)
959
self.disable_initiator_tag = GObject.timeout_add(
656
960
int(self.timeout.total_seconds() * 1000), self.disable)
657
961
# Also start a new checker *right now*.
658
962
self.start_checker()
694
998
if timeout is None:
695
999
timeout = self.timeout
696
1000
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1001
GObject.source_remove(self.disable_initiator_tag)
698
1002
self.disable_initiator_tag = None
699
1003
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1004
self.disable_initiator_tag = GObject.timeout_add(
701
1005
int(timeout.total_seconds() * 1000), self.disable)
702
1006
self.expires = datetime.datetime.utcnow() + timeout
703
1007
758
1062
args = (pipe[1], subprocess.call, command),
759
1063
kwargs = popen_args)
760
1064
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1065
self.checker_callback_tag = GObject.io_add_watch(
1066
pipe[0].fileno(), GObject.IO_IN,
763
1067
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1068
# Re-run this periodically if run by GObject.timeout_add
765
1069
return True
766
1070
767
1071
def stop_checker(self):
768
1072
"""Force the checker process, if any, to stop."""
769
1073
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1074
GObject.source_remove(self.checker_callback_tag)
771
1075
self.checker_callback_tag = None
772
1076
if getattr(self, "checker", None) is None:
773
1077
return
842
1146
access="r")
843
1147
def Property_dbus_property(self):
844
1148
return dbus.Boolean(False)
1149
1150
See also the DBusObjectWithAnnotations class.
845
1151
"""
846
1152
847
1153
def decorator(func):
869
1175
pass
870
1176
871
1177
872
class DBusObjectWithProperties(dbus.service.Object):
873
"""A D-Bus object with properties.
1178
class DBusObjectWithAnnotations(dbus.service.Object):
1179
"""A D-Bus object with annotations.
874
1180
875
Classes inheriting from this can use the dbus_service_property
876
decorator to expose methods as D-Bus properties. It exposes the
877
standard Get(), Set(), and GetAll() methods on the D-Bus.
1181
Classes inheriting from this can use the dbus_annotations
1182
decorator to add annotations to methods or signals.
878
1183
"""
879
1184
880
1185
@staticmethod
896
1201
for name, athing in
897
1202
inspect.getmembers(cls, self._is_dbus_thing(thing)))
898
1203
1204
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1205
out_signature = "s",
1206
path_keyword = 'object_path',
1207
connection_keyword = 'connection')
1208
def Introspect(self, object_path, connection):
1209
"""Overloading of standard D-Bus method.
1210
1211
Inserts annotation tags on methods and signals.
1212
"""
1213
xmlstring = dbus.service.Object.Introspect(self, object_path,
1214
connection)
1215
try:
1216
document = xml.dom.minidom.parseString(xmlstring)
1217
1218
for if_tag in document.getElementsByTagName("interface"):
1219
# Add annotation tags
1220
for typ in ("method", "signal"):
1221
for tag in if_tag.getElementsByTagName(typ):
1222
annots = dict()
1223
for name, prop in (self.
1224
_get_all_dbus_things(typ)):
1225
if (name == tag.getAttribute("name")
1226
and prop._dbus_interface
1227
== if_tag.getAttribute("name")):
1228
annots.update(getattr(
1229
prop, "_dbus_annotations", {}))
1230
for name, value in annots.items():
1231
ann_tag = document.createElement(
1232
"annotation")
1233
ann_tag.setAttribute("name", name)
1234
ann_tag.setAttribute("value", value)
1235
tag.appendChild(ann_tag)
1236
# Add interface annotation tags
1237
for annotation, value in dict(
1238
itertools.chain.from_iterable(
1239
annotations().items()
1240
for name, annotations
1241
in self._get_all_dbus_things("interface")
1242
if name == if_tag.getAttribute("name")
1243
)).items():
1244
ann_tag = document.createElement("annotation")
1245
ann_tag.setAttribute("name", annotation)
1246
ann_tag.setAttribute("value", value)
1247
if_tag.appendChild(ann_tag)
1248
# Fix argument name for the Introspect method itself
1249
if (if_tag.getAttribute("name")
1250
== dbus.INTROSPECTABLE_IFACE):
1251
for cn in if_tag.getElementsByTagName("method"):
1252
if cn.getAttribute("name") == "Introspect":
1253
for arg in cn.getElementsByTagName("arg"):
1254
if (arg.getAttribute("direction")
1255
== "out"):
1256
arg.setAttribute("name",
1257
"xml_data")
1258
xmlstring = document.toxml("utf-8")
1259
document.unlink()
1260
except (AttributeError, xml.dom.DOMException,
1261
xml.parsers.expat.ExpatError) as error:
1262
logger.error("Failed to override Introspection method",
1263
exc_info=error)
1264
return xmlstring
1265
1266
1267
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1268
"""A D-Bus object with properties.
1269
1270
Classes inheriting from this can use the dbus_service_property
1271
decorator to expose methods as D-Bus properties. It exposes the
1272
standard Get(), Set(), and GetAll() methods on the D-Bus.
1273
"""
1274
899
1275
def _get_dbus_property(self, interface_name, property_name):
900
1276
"""Returns a bound method if one exists which is a D-Bus
901
1277
property with the specified name and interface.
911
1287
raise DBusPropertyNotFound("{}:{}.{}".format(
912
1288
self.dbus_object_path, interface_name, property_name))
913
1289
1290
@classmethod
1291
def _get_all_interface_names(cls):
1292
"""Get a sequence of all interfaces supported by an object"""
1293
return (name for name in set(getattr(getattr(x, attr),
1294
"_dbus_interface", None)
1295
for x in (inspect.getmro(cls))
1296
for attr in dir(x))
1297
if name is not None)
1298
914
1299
@dbus.service.method(dbus.PROPERTIES_IFACE,
915
1300
in_signature="ss",
916
1301
out_signature="v")
986
1371
987
1372
Inserts property tags and interface annotation tags.
988
1373
"""
989
xmlstring = dbus.service.Object.Introspect(self, object_path,
990
connection)
1374
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1375
object_path,
1376
connection)
991
1377
try:
992
1378
document = xml.dom.minidom.parseString(xmlstring)
993
1379
1006
1392
if prop._dbus_interface
1007
1393
== if_tag.getAttribute("name")):
1008
1394
if_tag.appendChild(tag)
1009
# Add annotation tags
1010
for typ in ("method", "signal", "property"):
1011
for tag in if_tag.getElementsByTagName(typ):
1012
annots = dict()
1013
for name, prop in (self.
1014
_get_all_dbus_things(typ)):
1015
if (name == tag.getAttribute("name")
1016
and prop._dbus_interface
1017
== if_tag.getAttribute("name")):
1018
annots.update(getattr(
1019
prop, "_dbus_annotations", {}))
1020
for name, value in annots.items():
1021
ann_tag = document.createElement(
1022
"annotation")
1023
ann_tag.setAttribute("name", name)
1024
ann_tag.setAttribute("value", value)
1025
tag.appendChild(ann_tag)
1026
# Add interface annotation tags
1027
for annotation, value in dict(
1028
itertools.chain.from_iterable(
1029
annotations().items()
1030
for name, annotations
1031
in self._get_all_dbus_things("interface")
1032
if name == if_tag.getAttribute("name")
1033
)).items():
1034
ann_tag = document.createElement("annotation")
1035
ann_tag.setAttribute("name", annotation)
1036
ann_tag.setAttribute("value", value)
1037
if_tag.appendChild(ann_tag)
1395
# Add annotation tags for properties
1396
for tag in if_tag.getElementsByTagName("property"):
1397
annots = dict()
1398
for name, prop in self._get_all_dbus_things(
1399
"property"):
1400
if (name == tag.getAttribute("name")
1401
and prop._dbus_interface
1402
== if_tag.getAttribute("name")):
1403
annots.update(getattr(
1404
prop, "_dbus_annotations", {}))
1405
for name, value in annots.items():
1406
ann_tag = document.createElement(
1407
"annotation")
1408
ann_tag.setAttribute("name", name)
1409
ann_tag.setAttribute("value", value)
1410
tag.appendChild(ann_tag)
1038
1411
# Add the names to the return values for the
1039
1412
# "org.freedesktop.DBus.Properties" methods
1040
1413
if (if_tag.getAttribute("name")
1058
1431
exc_info=error)
1059
1432
return xmlstring
1060
1433
1434
try:
1435
dbus.OBJECT_MANAGER_IFACE
1436
except AttributeError:
1437
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1438
1439
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1440
"""A D-Bus object with an ObjectManager.
1441
1442
Classes inheriting from this exposes the standard
1443
GetManagedObjects call and the InterfacesAdded and
1444
InterfacesRemoved signals on the standard
1445
"org.freedesktop.DBus.ObjectManager" interface.
1446
1447
Note: No signals are sent automatically; they must be sent
1448
manually.
1449
"""
1450
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1451
out_signature = "a{oa{sa{sv}}}")
1452
def GetManagedObjects(self):
1453
"""This function must be overridden"""
1454
raise NotImplementedError()
1455
1456
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1457
signature = "oa{sa{sv}}")
1458
def InterfacesAdded(self, object_path, interfaces_and_properties):
1459
pass
1460
1461
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1462
def InterfacesRemoved(self, object_path, interfaces):
1463
pass
1464
1465
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1466
out_signature = "s",
1467
path_keyword = 'object_path',
1468
connection_keyword = 'connection')
1469
def Introspect(self, object_path, connection):
1470
"""Overloading of standard D-Bus method.
1471
1472
Override return argument name of GetManagedObjects to be
1473
"objpath_interfaces_and_properties"
1474
"""
1475
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1476
object_path,
1477
connection)
1478
try:
1479
document = xml.dom.minidom.parseString(xmlstring)
1480
1481
for if_tag in document.getElementsByTagName("interface"):
1482
# Fix argument name for the GetManagedObjects method
1483
if (if_tag.getAttribute("name")
1484
== dbus.OBJECT_MANAGER_IFACE):
1485
for cn in if_tag.getElementsByTagName("method"):
1486
if (cn.getAttribute("name")
1487
== "GetManagedObjects"):
1488
for arg in cn.getElementsByTagName("arg"):
1489
if (arg.getAttribute("direction")
1490
== "out"):
1491
arg.setAttribute(
1492
"name",
1493
"objpath_interfaces"
1494
"_and_properties")
1495
xmlstring = document.toxml("utf-8")
1496
document.unlink()
1497
except (AttributeError, xml.dom.DOMException,
1498
xml.parsers.expat.ExpatError) as error:
1499
logger.error("Failed to override Introspection method",
1500
exc_info = error)
1501
return xmlstring
1061
1502
1062
1503
def datetime_to_dbus(dt, variant_level=0):
1063
1504
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1110
1551
interface_names.add(alt_interface)
1111
1552
# Is this a D-Bus signal?
1112
1553
if getattr(attribute, "_dbus_is_signal", False):
1554
# Extract the original non-method undecorated
1555
# function by black magic
1113
1556
if sys.version_info.major == 2:
1114
# Extract the original non-method undecorated
1115
# function by black magic
1116
1557
nonmethod_func = (dict(
1117
1558
zip(attribute.func_code.co_freevars,
1118
1559
attribute.__closure__))
1119
1560
["func"].cell_contents)
1120
1561
else:
1121
nonmethod_func = attribute
1562
nonmethod_func = (dict(
1563
zip(attribute.__code__.co_freevars,
1564
attribute.__closure__))
1565
["func"].cell_contents)
1122
1566
# Create a new, but exactly alike, function
1123
1567
# object, and decorate it to be a new D-Bus signal
1124
1568
# with the alternate D-Bus interface name
1125
if sys.version_info.major == 2:
1126
new_function = types.FunctionType(
1127
nonmethod_func.func_code,
1128
nonmethod_func.func_globals,
1129
nonmethod_func.func_name,
1130
nonmethod_func.func_defaults,
1131
nonmethod_func.func_closure)
1132
else:
1133
new_function = types.FunctionType(
1134
nonmethod_func.__code__,
1135
nonmethod_func.__globals__,
1136
nonmethod_func.__name__,
1137
nonmethod_func.__defaults__,
1138
nonmethod_func.__closure__)
1569
new_function = copy_function(nonmethod_func)
1139
1570
new_function = (dbus.service.signal(
1140
1571
alt_interface,
1141
1572
attribute._dbus_signature)(new_function))
1154
1585
func1 and func2 to the "call_both" function
1155
1586
outside of its arguments"""
1156
1587
1588
@functools.wraps(func2)
1157
1589
def call_both(*args, **kwargs):
1158
1590
"""This function will emit two D-Bus
1159
1591
signals by calling func1 and func2"""
1160
1592
func1(*args, **kwargs)
1161
1593
func2(*args, **kwargs)
1594
# Make wrapper function look like a D-Bus signal
1595
for name, attr in inspect.getmembers(func2):
1596
if name.startswith("_dbus_"):
1597
setattr(call_both, name, attr)
1162
1598
1163
1599
return call_both
1164
1600
# Create the "call_both" function and add it to
1175
1611
alt_interface,
1176
1612
attribute._dbus_in_signature,
1177
1613
attribute._dbus_out_signature)
1178
(types.FunctionType(attribute.func_code,
1179
attribute.func_globals,
1180
attribute.func_name,
1181
attribute.func_defaults,
1182
attribute.func_closure)))
1614
(copy_function(attribute)))
1183
1615
# Copy annotations, if any
1184
1616
try:
1185
1617
attr[attrname]._dbus_annotations = dict(
1197
1629
attribute._dbus_access,
1198
1630
attribute._dbus_get_args_options
1199
1631
["byte_arrays"])
1200
(types.FunctionType(
1201
attribute.func_code,
1202
attribute.func_globals,
1203
attribute.func_name,
1204
attribute.func_defaults,
1205
attribute.func_closure)))
1632
(copy_function(attribute)))
1206
1633
# Copy annotations, if any
1207
1634
try:
1208
1635
attr[attrname]._dbus_annotations = dict(
1217
1644
# to the class.
1218
1645
attr[attrname] = (
1219
1646
dbus_interface_annotations(alt_interface)
1220
(types.FunctionType(attribute.func_code,
1221
attribute.func_globals,
1222
attribute.func_name,
1223
attribute.func_defaults,
1224
attribute.func_closure)))
1647
(copy_function(attribute)))
1225
1648
if deprecate:
1226
1649
# Deprecate all alternate interfaces
1227
1650
iname="_AlternateDBusNames_interface_annotation{}"
1240
1663
if interface_names:
1241
1664
# Replace the class with a new subclass of it with
1242
1665
# methods, signals, etc. as created above.
1243
cls = type(b"{}Alternate".format(cls.__name__),
1244
(cls, ), attr)
1666
if sys.version_info.major == 2:
1667
cls = type(b"{}Alternate".format(cls.__name__),
1668
(cls, ), attr)
1669
else:
1670
cls = type("{}Alternate".format(cls.__name__),
1671
(cls, ), attr)
1245
1672
return cls
1246
1673
1247
1674
return wrapper
1376
1803
if exitstatus >= 0:
1377
1804
# Emit D-Bus signal
1378
1805
self.CheckerCompleted(dbus.Int16(exitstatus),
1379
dbus.Int64(0),
1806
# This is specific to GNU libC
1807
dbus.Int64(exitstatus << 8),
1380
1808
dbus.String(command))
1381
1809
else:
1382
1810
# Emit D-Bus signal
1383
1811
self.CheckerCompleted(dbus.Int16(-1),
1384
1812
dbus.Int64(
1385
self.last_checker_signal),
1813
# This is specific to GNU libC
1814
(exitstatus << 8)
1815
| self.last_checker_signal),
1386
1816
dbus.String(command))
1387
1817
return ret
1388
1818
1402
1832
1403
1833
def approve(self, value=True):
1404
1834
self.approved = value
1405
gobject.timeout_add(int(self.approval_duration.total_seconds()
1835
GObject.timeout_add(int(self.approval_duration.total_seconds()
1406
1836
* 1000), self._reset_approved)
1407
1837
self.send_changedstate()
1408
1838
1465
1895
self.checked_ok()
1466
1896
1467
1897
# Enable - method
1898
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1468
1899
@dbus.service.method(_interface)
1469
1900
def Enable(self):
1470
1901
"D-Bus method"
1471
1902
self.enable()
1472
1903
1473
1904
# StartChecker - method
1905
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1474
1906
@dbus.service.method(_interface)
1475
1907
def StartChecker(self):
1476
1908
"D-Bus method"
1477
1909
self.start_checker()
1478
1910
1479
1911
# Disable - method
1912
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1480
1913
@dbus.service.method(_interface)
1481
1914
def Disable(self):
1482
1915
"D-Bus method"
1483
1916
self.disable()
1484
1917
1485
1918
# StopChecker - method
1919
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1486
1920
@dbus.service.method(_interface)
1487
1921
def StopChecker(self):
1488
1922
self.stop_checker()
1524
1958
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1525
1959
1526
1960
# Name - property
1961
@dbus_annotations(
1962
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1527
1963
@dbus_service_property(_interface, signature="s", access="read")
1528
1964
def Name_dbus_property(self):
1529
1965
return dbus.String(self.name)
1530
1966
1531
1967
# Fingerprint - property
1968
@dbus_annotations(
1969
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1532
1970
@dbus_service_property(_interface, signature="s", access="read")
1533
1971
def Fingerprint_dbus_property(self):
1534
1972
return dbus.String(self.fingerprint)
1543
1981
self.host = str(value)
1544
1982
1545
1983
# Created - property
1984
@dbus_annotations(
1985
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1546
1986
@dbus_service_property(_interface, signature="s", access="read")
1547
1987
def Created_dbus_property(self):
1548
1988
return datetime_to_dbus(self.created)
1609
2049
if (getattr(self, "disable_initiator_tag", None)
1610
2050
is None):
1611
2051
return
1612
gobject.source_remove(self.disable_initiator_tag)
1613
self.disable_initiator_tag = gobject.timeout_add(
2052
GObject.source_remove(self.disable_initiator_tag)
2053
self.disable_initiator_tag = GObject.timeout_add(
1614
2054
int((self.expires - now).total_seconds() * 1000),
1615
2055
self.disable)
1616
2056
1636
2076
return
1637
2077
if self.enabled:
1638
2078
# Reschedule checker run
1639
gobject.source_remove(self.checker_initiator_tag)
1640
self.checker_initiator_tag = gobject.timeout_add(
2079
GObject.source_remove(self.checker_initiator_tag)
2080
self.checker_initiator_tag = GObject.timeout_add(
1641
2081
value, self.start_checker)
1642
2082
self.start_checker() # Start one now, too
1643
2083
1663
2103
self.stop_checker()
1664
2104
1665
2105
# ObjectPath - property
2106
@dbus_annotations(
2107
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2108
"org.freedesktop.DBus.Deprecated": "true"})
1666
2109
@dbus_service_property(_interface, signature="o", access="read")
1667
2110
def ObjectPath_dbus_property(self):
1668
2111
return self.dbus_object_path # is already a dbus.ObjectPath
1669
2112
1670
2113
# Secret = property
2114
@dbus_annotations(
2115
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2116
"invalidates"})
1671
2117
@dbus_service_property(_interface,
1672
2118
signature="ay",
1673
2119
access="write",
1719
2165
logger.debug("Pipe FD: %d",
1720
2166
self.server.child_pipe.fileno())
1721
2167
1722
session = gnutls.connection.ClientSession(
1723
self.request, gnutls.connection .X509Credentials())
1724
1725
# Note: gnutls.connection.X509Credentials is really a
1726
# generic GnuTLS certificate credentials object so long as
1727
# no X.509 keys are added to it. Therefore, we can use it
1728
# here despite using OpenPGP certificates.
2168
session = gnutls.ClientSession(self.request)
1729
2169
1730
2170
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1731
2171
# "+AES-256-CBC", "+SHA1",
1735
2175
priority = self.server.gnutls_priority
1736
2176
if priority is None:
1737
2177
priority = "NORMAL"
1738
gnutls.library.functions.gnutls_priority_set_direct(
1739
session._c_object, priority, None)
2178
gnutls.priority_set_direct(session._c_object, priority,
2179
None)
1740
2180
1741
2181
# Start communication using the Mandos protocol
1742
2182
# Get protocol number
1752
2192
# Start GnuTLS connection
1753
2193
try:
1754
2194
session.handshake()
1755
except gnutls.errors.GNUTLSError as error:
2195
except gnutls.Error as error:
1756
2196
logger.warning("Handshake failed: %s", error)
1757
2197
# Do not run session.bye() here: the session is not
1758
2198
# established. Just abandon the request.
1764
2204
try:
1765
2205
fpr = self.fingerprint(
1766
2206
self.peer_certificate(session))
1767
except (TypeError,
1768
gnutls.errors.GNUTLSError) as error:
2207
except (TypeError, gnutls.Error) as error:
1769
2208
logger.warning("Bad certificate: %s", error)
1770
2209
return
1771
2210
logger.debug("Fingerprint: %s", fpr)
1829
2268
else:
1830
2269
delay -= time2 - time
1831
2270
1832
sent_size = 0
1833
while sent_size < len(client.secret):
1834
try:
1835
sent = session.send(client.secret[sent_size:])
1836
except gnutls.errors.GNUTLSError as error:
1837
logger.warning("gnutls send failed",
1838
exc_info=error)
1839
return
1840
logger.debug("Sent: %d, remaining: %d", sent,
1841
len(client.secret) - (sent_size
1842
+ sent))
1843
sent_size += sent
2271
try:
2272
session.send(client.secret)
2273
except gnutls.Error as error:
2274
logger.warning("gnutls send failed",
2275
exc_info = error)
2276
return
1844
2277
1845
2278
logger.info("Sending secret to %s", client.name)
1846
2279
# bump the timeout using extended_timeout
1854
2287
client.approvals_pending -= 1
1855
2288
try:
1856
2289
session.bye()
1857
except gnutls.errors.GNUTLSError as error:
2290
except gnutls.Error as error:
1858
2291
logger.warning("GnuTLS bye failed",
1859
2292
exc_info=error)
1860
2293
1862
2295
def peer_certificate(session):
1863
2296
"Return the peer's OpenPGP certificate as a bytestring"
1864
2297
# If not an OpenPGP certificate...
1865
if (gnutls.library.functions.gnutls_certificate_type_get(
1866
session._c_object)
1867
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1868
# ...do the normal thing
1869
return session.peer_certificate
2298
if (gnutls.certificate_type_get(session._c_object)
2299
!= gnutls.CRT_OPENPGP):
2300
# ...return invalid data
2301
return b""
1870
2302
list_size = ctypes.c_uint(1)
1871
cert_list = (gnutls.library.functions
1872
.gnutls_certificate_get_peers
2303
cert_list = (gnutls.certificate_get_peers
1873
2304
(session._c_object, ctypes.byref(list_size)))
1874
2305
if not bool(cert_list) and list_size.value != 0:
1875
raise gnutls.errors.GNUTLSError("error getting peer"
1876
" certificate")
2306
raise gnutls.Error("error getting peer certificate")
1877
2307
if list_size.value == 0:
1878
2308
return None
1879
2309
cert = cert_list[0]
1883
2313
def fingerprint(openpgp):
1884
2314
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1885
2315
# New GnuTLS "datum" with the OpenPGP public key
1886
datum = gnutls.library.types.gnutls_datum_t(
2316
datum = gnutls.datum_t(
1887
2317
ctypes.cast(ctypes.c_char_p(openpgp),
1888
2318
ctypes.POINTER(ctypes.c_ubyte)),
1889
2319
ctypes.c_uint(len(openpgp)))
1890
2320
# New empty GnuTLS certificate
1891
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1892
gnutls.library.functions.gnutls_openpgp_crt_init(
1893
ctypes.byref(crt))
2321
crt = gnutls.openpgp_crt_t()
2322
gnutls.openpgp_crt_init(ctypes.byref(crt))
1894
2323
# Import the OpenPGP public key into the certificate
1895
gnutls.library.functions.gnutls_openpgp_crt_import(
1896
crt, ctypes.byref(datum),
1897
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2324
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2325
gnutls.OPENPGP_FMT_RAW)
1898
2326
# Verify the self signature in the key
1899
2327
crtverify = ctypes.c_uint()
1900
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
1901
crt, 0, ctypes.byref(crtverify))
2328
gnutls.openpgp_crt_verify_self(crt, 0,
2329
ctypes.byref(crtverify))
1902
2330
if crtverify.value != 0:
1903
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1904
raise gnutls.errors.CertificateSecurityError(
1905
"Verify failed")
2331
gnutls.openpgp_crt_deinit(crt)
2332
raise gnutls.CertificateSecurityError("Verify failed")
1906
2333
# New buffer for the fingerprint
1907
2334
buf = ctypes.create_string_buffer(20)
1908
2335
buf_len = ctypes.c_size_t()
1909
2336
# Get the fingerprint from the certificate into the buffer
1910
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
1911
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2337
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2338
ctypes.byref(buf_len))
1912
2339
# Deinit the certificate
1913
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2340
gnutls.openpgp_crt_deinit(crt)
1914
2341
# Convert the buffer to a Python bytestring
1915
2342
fpr = ctypes.string_at(buf, buf_len.value)
1916
2343
# Convert the bytestring to hexadecimal notation
2060
2487
gnutls_priority GnuTLS priority string
2061
2488
use_dbus: Boolean; to emit D-Bus signals or not
2062
2489
2063
Assumes a gobject.MainLoop event loop.
2490
Assumes a GObject.MainLoop event loop.
2064
2491
"""
2065
2492
2066
2493
def __init__(self, server_address, RequestHandlerClass,
2091
2518
2092
2519
def add_pipe(self, parent_pipe, proc):
2093
2520
# Call "handle_ipc" for both data and EOF events
2094
gobject.io_add_watch(
2521
GObject.io_add_watch(
2095
2522
parent_pipe.fileno(),
2096
gobject.IO_IN | gobject.IO_HUP,
2523
GObject.IO_IN | GObject.IO_HUP,
2097
2524
functools.partial(self.handle_ipc,
2098
2525
parent_pipe = parent_pipe,
2099
2526
proc = proc))
2103
2530
proc = None,
2104
2531
client_object=None):
2105
2532
# error, or the other end of multiprocessing.Pipe has closed
2106
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2533
if condition & (GObject.IO_ERR | GObject.IO_HUP):
2107
2534
# Wait for other process to exit
2108
2535
proc.join()
2109
2536
return False
2116
2543
fpr = request[1]
2117
2544
address = request[2]
2118
2545
2119
for c in self.clients.itervalues():
2546
for c in self.clients.values():
2120
2547
if c.fingerprint == fpr:
2121
2548
client = c
2122
2549
break
2130
2557
parent_pipe.send(False)
2131
2558
return False
2132
2559
2133
gobject.io_add_watch(
2560
GObject.io_add_watch(
2134
2561
parent_pipe.fileno(),
2135
gobject.IO_IN | gobject.IO_HUP,
2562
GObject.IO_IN | GObject.IO_HUP,
2136
2563
functools.partial(self.handle_ipc,
2137
2564
parent_pipe = parent_pipe,
2138
2565
proc = proc,
2397
2824
"debug": "False",
2398
2825
"priority":
2399
2826
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2400
":+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2827
":+SIGN-DSA-SHA256",
2401
2828
"servicename": "Mandos",
2402
2829
"use_dbus": "True",
2403
2830
"use_ipv6": "True",
2520
2947
logger.error("Could not open file %r", pidfilename,
2521
2948
exc_info=e)
2522
2949
2523
for name in ("_mandos", "mandos", "nobody"):
2950
for name, group in (("_mandos", "_mandos"),
2951
("mandos", "mandos"),
2952
("nobody", "nogroup")):
2524
2953
try:
2525
2954
uid = pwd.getpwnam(name).pw_uid
2526
gid = pwd.getpwnam(name).pw_gid
2955
gid = pwd.getpwnam(group).pw_gid
2527
2956
break
2528
2957
except KeyError:
2529
2958
continue
2533
2962
try:
2534
2963
os.setgid(gid)
2535
2964
os.setuid(uid)
2965
if debug:
2966
logger.debug("Did setuid/setgid to {}:{}".format(uid,
2967
gid))
2536
2968
except OSError as error:
2969
logger.warning("Failed to setuid/setgid to {}:{}: {}"
2970
.format(uid, gid, os.strerror(error.errno)))
2537
2971
if error.errno != errno.EPERM:
2538
2972
raise
2539
2973
2542
2976
2543
2977
# "Use a log level over 10 to enable all debugging options."
2544
2978
# - GnuTLS manual
2545
gnutls.library.functions.gnutls_global_set_log_level(11)
2979
gnutls.global_set_log_level(11)
2546
2980
2547
@gnutls.library.types.gnutls_log_func
2981
@gnutls.log_func
2548
2982
def debug_gnutls(level, string):
2549
2983
logger.debug("GnuTLS: %s", string[:-1])
2550
2984
2551
gnutls.library.functions.gnutls_global_set_log_function(
2552
debug_gnutls)
2985
gnutls.global_set_log_function(debug_gnutls)
2553
2986
2554
2987
# Redirect stdin so all checkers get /dev/null
2555
2988
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2562
2995
# Close all input and output, do double fork, etc.
2563
2996
daemon()
2564
2997
2565
# multiprocessing will use threads, so before we use gobject we
2566
# need to inform gobject that threads will be used.
2567
gobject.threads_init()
2998
# multiprocessing will use threads, so before we use GObject we
2999
# need to inform GObject that threads will be used.
3000
GObject.threads_init()
2568
3001
2569
3002
global main_loop
2570
3003
# From the Avahi example code
2571
3004
DBusGMainLoop(set_as_default=True)
2572
main_loop = gobject.MainLoop()
3005
main_loop = GObject.MainLoop()
2573
3006
bus = dbus.SystemBus()
2574
3007
# End of Avahi example code
2575
3008
if use_dbus:
2619
3052
if server_settings["restore"]:
2620
3053
try:
2621
3054
with open(stored_state_path, "rb") as stored_state:
2622
clients_data, old_client_settings = pickle.load(
2623
stored_state)
3055
if sys.version_info.major == 2:
3056
clients_data, old_client_settings = pickle.load(
3057
stored_state)
3058
else:
3059
bytes_clients_data, bytes_old_client_settings = (
3060
pickle.load(stored_state, encoding = "bytes"))
3061
### Fix bytes to strings
3062
## clients_data
3063
# .keys()
3064
clients_data = { (key.decode("utf-8")
3065
if isinstance(key, bytes)
3066
else key): value
3067
for key, value in
3068
bytes_clients_data.items() }
3069
del bytes_clients_data
3070
for key in clients_data:
3071
value = { (k.decode("utf-8")
3072
if isinstance(k, bytes) else k): v
3073
for k, v in
3074
clients_data[key].items() }
3075
clients_data[key] = value
3076
# .client_structure
3077
value["client_structure"] = [
3078
(s.decode("utf-8")
3079
if isinstance(s, bytes)
3080
else s) for s in
3081
value["client_structure"] ]
3082
# .name & .host
3083
for k in ("name", "host"):
3084
if isinstance(value[k], bytes):
3085
value[k] = value[k].decode("utf-8")
3086
## old_client_settings
3087
# .keys()
3088
old_client_settings = {
3089
(key.decode("utf-8")
3090
if isinstance(key, bytes)
3091
else key): value
3092
for key, value in
3093
bytes_old_client_settings.items() }
3094
del bytes_old_client_settings
3095
# .host
3096
for value in old_client_settings.values():
3097
if isinstance(value["host"], bytes):
3098
value["host"] = (value["host"]
3099
.decode("utf-8"))
2624
3100
os.remove(stored_state_path)
2625
3101
except IOError as e:
2626
3102
if e.errno == errno.ENOENT:
2734
3210
2735
3211
@alternate_dbus_interfaces(
2736
3212
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
2737
class MandosDBusService(DBusObjectWithProperties):
3213
class MandosDBusService(DBusObjectWithObjectManager):
2738
3214
"""A D-Bus proxy object"""
2739
3215
2740
3216
def __init__(self):
2742
3218
2743
3219
_interface = "se.recompile.Mandos"
2744
3220
2745
@dbus_interface_annotations(_interface)
2746
def _foo(self):
2747
return {
2748
"org.freedesktop.DBus.Property.EmitsChangedSignal":
2749
"false" }
2750
2751
3221
@dbus.service.signal(_interface, signature="o")
2752
3222
def ClientAdded(self, objpath):
2753
3223
"D-Bus signal"
2758
3228
"D-Bus signal"
2759
3229
pass
2760
3230
3231
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3232
"true"})
2761
3233
@dbus.service.signal(_interface, signature="os")
2762
3234
def ClientRemoved(self, objpath, name):
2763
3235
"D-Bus signal"
2764
3236
pass
2765
3237
3238
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3239
"true"})
2766
3240
@dbus.service.method(_interface, out_signature="ao")
2767
3241
def GetAllClients(self):
2768
3242
"D-Bus method"
2769
3243
return dbus.Array(c.dbus_object_path for c in
2770
tcp_server.clients.itervalues())
3244
tcp_server.clients.values())
2771
3245
3246
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3247
"true"})
2772
3248
@dbus.service.method(_interface,
2773
3249
out_signature="a{oa{sv}}")
2774
3250
def GetAllClientsWithProperties(self):
2775
3251
"D-Bus method"
2776
3252
return dbus.Dictionary(
2777
{ c.dbus_object_path: c.GetAll("")
2778
for c in tcp_server.clients.itervalues() },
3253
{ c.dbus_object_path: c.GetAll(
3254
"se.recompile.Mandos.Client")
3255
for c in tcp_server.clients.values() },
2779
3256
signature="oa{sv}")
2780
3257
2781
3258
@dbus.service.method(_interface, in_signature="o")
2782
3259
def RemoveClient(self, object_path):
2783
3260
"D-Bus method"
2784
for c in tcp_server.clients.itervalues():
3261
for c in tcp_server.clients.values():
2785
3262
if c.dbus_object_path == object_path:
2786
3263
del tcp_server.clients[c.name]
2787
3264
c.remove_from_connection()
2788
# Don't signal anything except ClientRemoved
3265
# Don't signal the disabling
2789
3266
c.disable(quiet=True)
2790
# Emit D-Bus signal
2791
self.ClientRemoved(object_path, c.name)
3267
# Emit D-Bus signal for removal
3268
self.client_removed_signal(c)
2792
3269
return
2793
3270
raise KeyError(object_path)
2794
3271
2795
3272
del _interface
3273
3274
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3275
out_signature = "a{oa{sa{sv}}}")
3276
def GetManagedObjects(self):
3277
"""D-Bus method"""
3278
return dbus.Dictionary(
3279
{ client.dbus_object_path:
3280
dbus.Dictionary(
3281
{ interface: client.GetAll(interface)
3282
for interface in
3283
client._get_all_interface_names()})
3284
for client in tcp_server.clients.values()})
3285
3286
def client_added_signal(self, client):
3287
"""Send the new standard signal and the old signal"""
3288
if use_dbus:
3289
# New standard signal
3290
self.InterfacesAdded(
3291
client.dbus_object_path,
3292
dbus.Dictionary(
3293
{ interface: client.GetAll(interface)
3294
for interface in
3295
client._get_all_interface_names()}))
3296
# Old signal
3297
self.ClientAdded(client.dbus_object_path)
3298
3299
def client_removed_signal(self, client):
3300
"""Send the new standard signal and the old signal"""
3301
if use_dbus:
3302
# New standard signal
3303
self.InterfacesRemoved(
3304
client.dbus_object_path,
3305
client._get_all_interface_names())
3306
# Old signal
3307
self.ClientRemoved(client.dbus_object_path,
3308
client.name)
2796
3309
2797
3310
mandos_dbus_service = MandosDBusService()
2798
3311
2811
3324
# removed/edited, old secret will thus be unrecovable.
2812
3325
clients = {}
2813
3326
with PGPEngine() as pgp:
2814
for client in tcp_server.clients.itervalues():
3327
for client in tcp_server.clients.values():
2815
3328
key = client_settings[client.name]["secret"]
2816
3329
client.encrypted_secret = pgp.encrypt(client.secret,
2817
3330
key)
2841
3354
prefix='clients-',
2842
3355
dir=os.path.dirname(stored_state_path),
2843
3356
delete=False) as stored_state:
2844
pickle.dump((clients, client_settings), stored_state)
3357
pickle.dump((clients, client_settings), stored_state,
3358
protocol = 2)
2845
3359
tempname = stored_state.name
2846
3360
os.rename(tempname, stored_state_path)
2847
3361
except (IOError, OSError) as e:
2863
3377
name, client = tcp_server.clients.popitem()
2864
3378
if use_dbus:
2865
3379
client.remove_from_connection()
2866
# Don't signal anything except ClientRemoved
3380
# Don't signal the disabling
2867
3381
client.disable(quiet=True)
3382
# Emit D-Bus signal for removal
2868
3383
if use_dbus:
2869
# Emit D-Bus signal
2870
mandos_dbus_service.ClientRemoved(
2871
client.dbus_object_path, client.name)
3384
mandos_dbus_service.client_removed_signal(client)
2872
3385
client_settings.clear()
2873
3386
2874
3387
atexit.register(cleanup)
2875
3388
2876
for client in tcp_server.clients.itervalues():
3389
for client in tcp_server.clients.values():
2877
3390
if use_dbus:
2878
# Emit D-Bus signal
2879
mandos_dbus_service.ClientAdded(client.dbus_object_path)
3391
# Emit D-Bus signal for adding
3392
mandos_dbus_service.client_added_signal(client)
2880
3393
# Need to initiate checking of clients
2881
3394
if client.enabled:
2882
3395
client.init_checker()
2908
3421
sys.exit(1)
2909
3422
# End of Avahi example code
2910
3423
2911
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3424
GObject.io_add_watch(tcp_server.fileno(), GObject.IO_IN,
2912
3425
lambda *args, **kwargs:
2913
3426
(tcp_server.handle_request
2914
3427
(*args[2:], **kwargs) or True))
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0