To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 837
- compare with another revision
- download diff
- download tarball
- view history from revision 837
- Committer: Teddy Hogeborn
- Date: 2016-03-19 03:48:56 UTC
- Revision ID: teddy@recompile.se-20160319034856-d8rox0kdxekgr03g
Server: Make persistent state directory mode u=rwx,go=
The Makefile target "install-server" creates the server persistent
state directory /var/lib/mandos as mode u=rwx,go= (0700). Make this
also the case for the Debian package (unless overridden by
dpkg-statoverride).
* debian/mandos.postinst (configure): Fix state directory permissions,
but only if not listed by "dpkg-statoverride".
The Makefile target "install-server" creates the server persistent
state directory /var/lib/mandos as mode u=rwx,go= (0700). Make this
also the case for the Debian package (unless overridden by
dpkg-statoverride).
* debian/mandos.postinst (configure): Fix state directory permissions,
but only if not listed by "dpkg-statoverride".
- files added:
- initramfs-tools-hook-conf
- files removed:
- initramfs-tools-conf
- files modified:
- DBUS-API
added
removed
mandos
1
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2018 Teddy Hogeborn
15
# Copyright © 2008-2018 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
#
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
#
32
#
34
33
35
34
from __future__ import (division, absolute_import, print_function,
36
35
unicode_literals)
87
86
import xml.dom.minidom
88
87
import inspect
89
88
90
# Try to find the value of SO_BINDTODEVICE:
91
89
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
94
90
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
95
91
except AttributeError:
96
92
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
99
93
from IN import SO_BINDTODEVICE
100
94
except ImportError:
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
95
SO_BINDTODEVICE = None
114
96
115
97
if sys.version_info.major == 2:
116
98
str = unicode
117
99
118
version = "1.7.19"
100
version = "1.7.6"
119
101
stored_state_file = "clients.pickle"
120
102
121
103
logger = logging.getLogger()
125
107
if_nametoindex = ctypes.cdll.LoadLibrary(
126
108
ctypes.util.find_library("c")).if_nametoindex
127
109
except (OSError, AttributeError):
128
110
129
111
def if_nametoindex(interface):
130
112
"Get an interface index the hard way, i.e. using fcntl()"
131
113
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
154
136
155
137
def initlogger(debug, level=logging.WARNING):
156
138
"""init logger and add loglevel"""
157
139
158
140
global syslogger
159
141
syslogger = (logging.handlers.SysLogHandler(
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
142
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
143
address = "/dev/log"))
162
144
syslogger.setFormatter(logging.Formatter
163
145
('Mandos [%(process)d]: %(levelname)s:'
164
146
' %(message)s'))
165
147
logger.addHandler(syslogger)
166
148
167
149
if debug:
168
150
console = logging.StreamHandler()
169
151
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
181
163
182
164
class PGPEngine(object):
183
165
"""A simple class for OpenPGP symmetric encryption & decryption"""
184
166
185
167
def __init__(self):
186
168
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
169
self.gpg = "gpg"
198
180
self.gnupgargs = ['--batch',
199
181
'--homedir', self.tempdir,
200
182
'--force-mdc',
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
183
'--quiet',
184
'--no-use-agent']
185
206
186
def __enter__(self):
207
187
return self
208
188
209
189
def __exit__(self, exc_type, exc_value, traceback):
210
190
self._cleanup()
211
191
return False
212
192
213
193
def __del__(self):
214
194
self._cleanup()
215
195
216
196
def _cleanup(self):
217
197
if self.tempdir is not None:
218
198
# Delete contents of tempdir
219
199
for root, dirs, files in os.walk(self.tempdir,
220
topdown=False):
200
topdown = False):
221
201
for filename in files:
222
202
os.remove(os.path.join(root, filename))
223
203
for dirname in dirs:
225
205
# Remove tempdir
226
206
os.rmdir(self.tempdir)
227
207
self.tempdir = None
228
208
229
209
def password_encode(self, password):
230
210
# Passphrase can not be empty and can not contain newlines or
231
211
# NUL bytes. So we prefix it and hex encode it.
236
216
.replace(b"\n", b"\\n")
237
217
.replace(b"\0", b"\\x00"))
238
218
return encoded
239
219
240
220
def encrypt(self, data, password):
241
221
passphrase = self.password_encode(password)
242
222
with tempfile.NamedTemporaryFile(
247
227
'--passphrase-file',
248
228
passfile.name]
249
229
+ self.gnupgargs,
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
230
stdin = subprocess.PIPE,
231
stdout = subprocess.PIPE,
232
stderr = subprocess.PIPE)
233
ciphertext, err = proc.communicate(input = data)
254
234
if proc.returncode != 0:
255
235
raise PGPError(err)
256
236
return ciphertext
257
237
258
238
def decrypt(self, data, password):
259
239
passphrase = self.password_encode(password)
260
240
with tempfile.NamedTemporaryFile(
261
dir=self.tempdir) as passfile:
241
dir = self.tempdir) as passfile:
262
242
passfile.write(passphrase)
263
243
passfile.flush()
264
244
proc = subprocess.Popen([self.gpg, '--decrypt',
265
245
'--passphrase-file',
266
246
passfile.name]
267
247
+ self.gnupgargs,
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
248
stdin = subprocess.PIPE,
249
stdout = subprocess.PIPE,
250
stderr = subprocess.PIPE)
251
decrypted_plaintext, err = proc.communicate(input = data)
272
252
if proc.returncode != 0:
273
253
raise PGPError(err)
274
254
return decrypted_plaintext
275
255
276
277
256
# Pretend that we have an Avahi module
278
257
class Avahi(object):
279
258
"""This isn't so much a class as it is a module-like namespace.
280
259
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
260
IF_UNSPEC = -1 # avahi-common/address.h
261
PROTO_UNSPEC = -1 # avahi-common/address.h
262
PROTO_INET = 0 # avahi-common/address.h
263
PROTO_INET6 = 1 # avahi-common/address.h
285
264
DBUS_NAME = "org.freedesktop.Avahi"
286
265
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
266
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
267
DBUS_PATH_SERVER = "/"
289
290
268
def string_array_to_txt_array(self, t):
291
269
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
270
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
271
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
272
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
273
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
274
SERVER_INVALID = 0 # avahi-common/defs.h
275
SERVER_REGISTERING = 1 # avahi-common/defs.h
276
SERVER_RUNNING = 2 # avahi-common/defs.h
277
SERVER_COLLISION = 3 # avahi-common/defs.h
278
SERVER_FAILURE = 4 # avahi-common/defs.h
301
279
avahi = Avahi()
302
280
303
304
281
class AvahiError(Exception):
305
282
def __init__(self, value, *args, **kwargs):
306
283
self.value = value
318
295
319
296
class AvahiService(object):
320
297
"""An Avahi (Zeroconf) service.
321
298
322
299
Attributes:
323
300
interface: integer; avahi.IF_UNSPEC or an interface index.
324
301
Used to optionally bind to the specified interface.
336
313
server: D-Bus Server
337
314
bus: dbus.SystemBus()
338
315
"""
339
316
340
317
def __init__(self,
341
interface=avahi.IF_UNSPEC,
342
name=None,
343
servicetype=None,
344
port=None,
345
TXT=None,
346
domain="",
347
host="",
348
max_renames=32768,
349
protocol=avahi.PROTO_UNSPEC,
350
bus=None):
318
interface = avahi.IF_UNSPEC,
319
name = None,
320
servicetype = None,
321
port = None,
322
TXT = None,
323
domain = "",
324
host = "",
325
max_renames = 32768,
326
protocol = avahi.PROTO_UNSPEC,
327
bus = None):
351
328
self.interface = interface
352
329
self.name = name
353
330
self.type = servicetype
362
339
self.server = None
363
340
self.bus = bus
364
341
self.entry_group_state_changed_match = None
365
342
366
343
def rename(self, remove=True):
367
344
"""Derived from the Avahi example code"""
368
345
if self.rename_count >= self.max_renames:
388
365
logger.critical("D-Bus Exception", exc_info=error)
389
366
self.cleanup()
390
367
os._exit(1)
391
368
392
369
def remove(self):
393
370
"""Derived from the Avahi example code"""
394
371
if self.entry_group_state_changed_match is not None:
396
373
self.entry_group_state_changed_match = None
397
374
if self.group is not None:
398
375
self.group.Reset()
399
376
400
377
def add(self):
401
378
"""Derived from the Avahi example code"""
402
379
self.remove()
419
396
dbus.UInt16(self.port),
420
397
avahi.string_array_to_txt_array(self.TXT))
421
398
self.group.Commit()
422
399
423
400
def entry_group_state_changed(self, state, error):
424
401
"""Derived from the Avahi example code"""
425
402
logger.debug("Avahi entry group state change: %i", state)
426
403
427
404
if state == avahi.ENTRY_GROUP_ESTABLISHED:
428
405
logger.debug("Zeroconf service established.")
429
406
elif state == avahi.ENTRY_GROUP_COLLISION:
433
410
logger.critical("Avahi: Error in group state changed %s",
434
411
str(error))
435
412
raise AvahiGroupError("State changed: {!s}".format(error))
436
413
437
414
def cleanup(self):
438
415
"""Derived from the Avahi example code"""
439
416
if self.group is not None:
444
421
pass
445
422
self.group = None
446
423
self.remove()
447
424
448
425
def server_state_changed(self, state, error=None):
449
426
"""Derived from the Avahi example code"""
450
427
logger.debug("Avahi server state change: %i", state)
479
456
logger.debug("Unknown state: %r", state)
480
457
else:
481
458
logger.debug("Unknown state: %r: %r", state, error)
482
459
483
460
def activate(self):
484
461
"""Derived from the Avahi example code"""
485
462
if self.server is None:
496
473
class AvahiServiceToSyslog(AvahiService):
497
474
def rename(self, *args, **kwargs):
498
475
"""Add the new name to the syslog messages"""
499
ret = super(AvahiServiceToSyslog, self).rename(*args, **kwargs)
476
ret = AvahiService.rename(self, *args, **kwargs)
500
477
syslogger.setFormatter(logging.Formatter(
501
478
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
502
479
.format(self.name)))
503
480
return ret
504
481
505
506
482
# Pretend that we have a GnuTLS module
507
483
class GnuTLS(object):
508
484
"""This isn't so much a class as it is a module-like namespace.
509
485
It is instantiated once, and simulates having a GnuTLS module."""
510
511
library = ctypes.util.find_library("gnutls")
512
if library is None:
513
library = ctypes.util.find_library("gnutls-deb0")
514
_library = ctypes.cdll.LoadLibrary(library)
515
del library
486
487
_library = ctypes.cdll.LoadLibrary(
488
ctypes.util.find_library("gnutls"))
516
489
_need_version = b"3.3.0"
517
518
490
def __init__(self):
519
# Need to use "self" here, since this method is called before
520
# the assignment to the "gnutls" global variable happens.
521
if self.check_version(self._need_version) is None:
522
raise self.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
524
491
# Need to use class name "GnuTLS" here, since this method is
492
# called before the assignment to the "gnutls" global variable
493
# happens.
494
if GnuTLS.check_version(self._need_version) is None:
495
raise GnuTLS.Error("Needs GnuTLS {} or later"
496
.format(self._need_version))
497
525
498
# Unless otherwise indicated, the constants and types below are
526
499
# all from the gnutls/gnutls.h C header file.
527
500
528
501
# Constants
529
502
E_SUCCESS = 0
530
503
E_INTERRUPTED = -52
535
508
CRD_CERTIFICATE = 1
536
509
E_NO_CERTIFICATE_FOUND = -49
537
510
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
511
539
512
# Types
540
513
class session_int(ctypes.Structure):
541
514
_fields_ = []
542
515
session_t = ctypes.POINTER(session_int)
543
544
516
class certificate_credentials_st(ctypes.Structure):
545
517
_fields_ = []
546
518
certificate_credentials_t = ctypes.POINTER(
547
519
certificate_credentials_st)
548
520
certificate_type_t = ctypes.c_int
549
550
521
class datum_t(ctypes.Structure):
551
522
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
523
('size', ctypes.c_uint)]
553
554
524
class openpgp_crt_int(ctypes.Structure):
555
525
_fields_ = []
556
526
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
527
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
528
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
529
credentials_type_t = ctypes.c_int
560
530
transport_ptr_t = ctypes.c_void_p
561
531
close_request_t = ctypes.c_int
562
532
563
533
# Exceptions
564
534
class Error(Exception):
565
535
# We need to use the class name "GnuTLS" here, since this
566
536
# exception might be raised from within GnuTLS.__init__,
567
537
# which is called before the assignment to the "gnutls"
568
538
# global variable has happened.
569
def __init__(self, message=None, code=None, args=()):
539
def __init__(self, message = None, code = None, args=()):
570
540
# Default usage is by a message string, but if a return
571
541
# code is passed, convert it to a string with
572
542
# gnutls.strerror()
575
545
message = GnuTLS.strerror(code)
576
546
return super(GnuTLS.Error, self).__init__(
577
547
message, *args)
578
548
579
549
class CertificateSecurityError(Error):
580
550
pass
581
551
582
552
# Classes
583
553
class Credentials(object):
584
554
def __init__(self):
586
556
gnutls.certificate_allocate_credentials(
587
557
ctypes.byref(self._c_object))
588
558
self.type = gnutls.CRD_CERTIFICATE
589
559
590
560
def __del__(self):
591
561
gnutls.certificate_free_credentials(self._c_object)
592
562
593
563
class ClientSession(object):
594
def __init__(self, socket, credentials=None):
564
def __init__(self, socket, credentials = None):
595
565
self._c_object = gnutls.session_t()
596
566
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
567
gnutls.set_default_priority(self._c_object)
605
575
ctypes.cast(credentials._c_object,
606
576
ctypes.c_void_p))
607
577
self.credentials = credentials
608
578
609
579
def __del__(self):
610
580
gnutls.deinit(self._c_object)
611
581
612
582
def handshake(self):
613
583
return gnutls.handshake(self._c_object)
614
584
615
585
def send(self, data):
616
586
data = bytes(data)
617
587
data_len = len(data)
619
589
data_len -= gnutls.record_send(self._c_object,
620
590
data[-data_len:],
621
591
data_len)
622
592
623
593
def bye(self):
624
594
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
625
595
626
596
# Error handling functions
627
597
def _error_code(result):
628
598
"""A function to raise exceptions on errors, suitable
630
600
if result >= 0:
631
601
return result
632
602
if result == gnutls.E_NO_CERTIFICATE_FOUND:
633
raise gnutls.CertificateSecurityError(code=result)
634
raise gnutls.Error(code=result)
635
603
raise gnutls.CertificateSecurityError(code = result)
604
raise gnutls.Error(code = result)
605
636
606
def _retry_on_error(result, func, arguments):
637
607
"""A function to retry on some errors, suitable
638
608
for the 'errcheck' attribute on ctypes functions"""
641
611
return _error_code(result)
642
612
result = func(*arguments)
643
613
return result
644
614
645
615
# Unless otherwise indicated, the function declarations below are
646
616
# all from the gnutls/gnutls.h C header file.
647
617
648
618
# Functions
649
619
priority_set_direct = _library.gnutls_priority_set_direct
650
620
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
651
621
ctypes.POINTER(ctypes.c_char_p)]
652
622
priority_set_direct.restype = _error_code
653
623
654
624
init = _library.gnutls_init
655
625
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
656
626
init.restype = _error_code
657
627
658
628
set_default_priority = _library.gnutls_set_default_priority
659
629
set_default_priority.argtypes = [session_t]
660
630
set_default_priority.restype = _error_code
661
631
662
632
record_send = _library.gnutls_record_send
663
633
record_send.argtypes = [session_t, ctypes.c_void_p,
664
634
ctypes.c_size_t]
665
635
record_send.restype = ctypes.c_ssize_t
666
636
record_send.errcheck = _retry_on_error
667
637
668
638
certificate_allocate_credentials = (
669
639
_library.gnutls_certificate_allocate_credentials)
670
640
certificate_allocate_credentials.argtypes = [
671
641
ctypes.POINTER(certificate_credentials_t)]
672
642
certificate_allocate_credentials.restype = _error_code
673
643
674
644
certificate_free_credentials = (
675
645
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
646
certificate_free_credentials.argtypes = [certificate_credentials_t]
678
647
certificate_free_credentials.restype = None
679
648
680
649
handshake_set_private_extensions = (
681
650
_library.gnutls_handshake_set_private_extensions)
682
651
handshake_set_private_extensions.argtypes = [session_t,
683
652
ctypes.c_int]
684
653
handshake_set_private_extensions.restype = None
685
654
686
655
credentials_set = _library.gnutls_credentials_set
687
656
credentials_set.argtypes = [session_t, credentials_type_t,
688
657
ctypes.c_void_p]
689
658
credentials_set.restype = _error_code
690
659
691
660
strerror = _library.gnutls_strerror
692
661
strerror.argtypes = [ctypes.c_int]
693
662
strerror.restype = ctypes.c_char_p
694
663
695
664
certificate_type_get = _library.gnutls_certificate_type_get
696
665
certificate_type_get.argtypes = [session_t]
697
666
certificate_type_get.restype = _error_code
698
667
699
668
certificate_get_peers = _library.gnutls_certificate_get_peers
700
669
certificate_get_peers.argtypes = [session_t,
701
670
ctypes.POINTER(ctypes.c_uint)]
702
671
certificate_get_peers.restype = ctypes.POINTER(datum_t)
703
672
704
673
global_set_log_level = _library.gnutls_global_set_log_level
705
674
global_set_log_level.argtypes = [ctypes.c_int]
706
675
global_set_log_level.restype = None
707
676
708
677
global_set_log_function = _library.gnutls_global_set_log_function
709
678
global_set_log_function.argtypes = [log_func]
710
679
global_set_log_function.restype = None
711
680
712
681
deinit = _library.gnutls_deinit
713
682
deinit.argtypes = [session_t]
714
683
deinit.restype = None
715
684
716
685
handshake = _library.gnutls_handshake
717
686
handshake.argtypes = [session_t]
718
687
handshake.restype = _error_code
719
688
handshake.errcheck = _retry_on_error
720
689
721
690
transport_set_ptr = _library.gnutls_transport_set_ptr
722
691
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
723
692
transport_set_ptr.restype = None
724
693
725
694
bye = _library.gnutls_bye
726
695
bye.argtypes = [session_t, close_request_t]
727
696
bye.restype = _error_code
728
697
bye.errcheck = _retry_on_error
729
698
730
699
check_version = _library.gnutls_check_version
731
700
check_version.argtypes = [ctypes.c_char_p]
732
701
check_version.restype = ctypes.c_char_p
733
702
734
703
# All the function declarations below are from gnutls/openpgp.h
735
704
736
705
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
706
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
707
openpgp_crt_init.restype = _error_code
739
708
740
709
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
710
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
711
ctypes.POINTER(datum_t),
743
712
openpgp_crt_fmt_t]
744
713
openpgp_crt_import.restype = _error_code
745
714
746
715
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
716
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
717
ctypes.POINTER(ctypes.c_uint)]
749
718
openpgp_crt_verify_self.restype = _error_code
750
719
751
720
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
721
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
722
openpgp_crt_deinit.restype = None
754
723
755
724
openpgp_crt_get_fingerprint = (
756
725
_library.gnutls_openpgp_crt_get_fingerprint)
757
726
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
759
728
ctypes.POINTER(
760
729
ctypes.c_size_t)]
761
730
openpgp_crt_get_fingerprint.restype = _error_code
762
731
763
732
# Remove non-public functions
764
733
del _error_code, _retry_on_error
765
734
# Create the global "gnutls" object, simulating a module
766
735
gnutls = GnuTLS()
767
736
768
769
737
def call_pipe(connection, # : multiprocessing.Connection
770
738
func, *args, **kwargs):
771
739
"""This function is meant to be called by multiprocessing.Process
772
740
773
741
This function runs func(*args, **kwargs), and writes the resulting
774
742
return value on the provided multiprocessing.Connection.
775
743
"""
776
744
connection.send(func(*args, **kwargs))
777
745
connection.close()
778
746
779
780
747
class Client(object):
781
748
"""A representation of a client host served by this server.
782
749
783
750
Attributes:
784
751
approved: bool(); 'None' if not yet approved/disapproved
785
752
approval_delay: datetime.timedelta(); Time to wait for approval
822
789
disabled, or None
823
790
server_settings: The server_settings dict from main()
824
791
"""
825
792
826
793
runtime_expansions = ("approval_delay", "approval_duration",
827
794
"created", "enabled", "expires",
828
795
"fingerprint", "host", "interval",
839
806
"approved_by_default": "True",
840
807
"enabled": "True",
841
808
}
842
809
843
810
@staticmethod
844
811
def config_parser(config):
845
812
"""Construct a new dict of client settings of this form:
852
819
for client_name in config.sections():
853
820
section = dict(config.items(client_name))
854
821
client = settings[client_name] = {}
855
822
856
823
client["host"] = section["host"]
857
824
# Reformat values from string types to Python types
858
825
client["approved_by_default"] = config.getboolean(
859
826
client_name, "approved_by_default")
860
827
client["enabled"] = config.getboolean(client_name,
861
828
"enabled")
862
829
863
830
# Uppercase and remove spaces from fingerprint for later
864
831
# comparison purposes with return value from the
865
832
# fingerprint() function
889
856
client["last_approval_request"] = None
890
857
client["last_checked_ok"] = None
891
858
client["last_checker_status"] = -2
892
859
893
860
return settings
894
895
def __init__(self, settings, name=None, server_settings=None):
861
862
def __init__(self, settings, name = None, server_settings=None):
896
863
self.name = name
897
864
if server_settings is None:
898
865
server_settings = {}
900
867
# adding all client settings
901
868
for setting, value in settings.items():
902
869
setattr(self, setting, value)
903
870
904
871
if self.enabled:
905
872
if not hasattr(self, "last_enabled"):
906
873
self.last_enabled = datetime.datetime.utcnow()
910
877
else:
911
878
self.last_enabled = None
912
879
self.expires = None
913
880
914
881
logger.debug("Creating client %r", self.name)
915
882
logger.debug(" Fingerprint: %s", self.fingerprint)
916
883
self.created = settings.get("created",
917
884
datetime.datetime.utcnow())
918
885
919
886
# attributes specific for this server instance
920
887
self.checker = None
921
888
self.checker_initiator_tag = None
930
897
for attr in self.__dict__.keys()
931
898
if not attr.startswith("_")]
932
899
self.client_structure.append("client_structure")
933
900
934
901
for name, t in inspect.getmembers(
935
902
type(self), lambda obj: isinstance(obj, property)):
936
903
if not name.startswith("_"):
937
904
self.client_structure.append(name)
938
905
939
906
# Send notice to process children that client state has changed
940
907
def send_changedstate(self):
941
908
with self.changedstate:
942
909
self.changedstate.notify_all()
943
910
944
911
def enable(self):
945
912
"""Start this client's checker and timeout hooks"""
946
913
if getattr(self, "enabled", False):
951
918
self.last_enabled = datetime.datetime.utcnow()
952
919
self.init_checker()
953
920
self.send_changedstate()
954
921
955
922
def disable(self, quiet=True):
956
923
"""Disable this client."""
957
924
if not getattr(self, "enabled", False):
971
938
self.send_changedstate()
972
939
# Do not run this again if called by a GLib.timeout_add
973
940
return False
974
941
975
942
def __del__(self):
976
943
self.disable()
977
944
978
945
def init_checker(self):
979
946
# Schedule a new checker to be started an 'interval' from now,
980
947
# and every interval from then on.
990
957
int(self.timeout.total_seconds() * 1000), self.disable)
991
958
# Also start a new checker *right now*.
992
959
self.start_checker()
993
960
994
961
def checker_callback(self, source, condition, connection,
995
962
command):
996
963
"""The checker has completed, so take appropriate actions."""
999
966
# Read return code from connection (see call_pipe)
1000
967
returncode = connection.recv()
1001
968
connection.close()
1002
969
1003
970
if returncode >= 0:
1004
971
self.last_checker_status = returncode
1005
972
self.last_checker_signal = None
1015
982
logger.warning("Checker for %(name)s crashed?",
1016
983
vars(self))
1017
984
return False
1018
985
1019
986
def checked_ok(self):
1020
987
"""Assert that the client has been seen, alive and well."""
1021
988
self.last_checked_ok = datetime.datetime.utcnow()
1022
989
self.last_checker_status = 0
1023
990
self.last_checker_signal = None
1024
991
self.bump_timeout()
1025
992
1026
993
def bump_timeout(self, timeout=None):
1027
994
"""Bump up the timeout for this client."""
1028
995
if timeout is None:
1034
1001
self.disable_initiator_tag = GLib.timeout_add(
1035
1002
int(timeout.total_seconds() * 1000), self.disable)
1036
1003
self.expires = datetime.datetime.utcnow() + timeout
1037
1004
1038
1005
def need_approval(self):
1039
1006
self.last_approval_request = datetime.datetime.utcnow()
1040
1007
1041
1008
def start_checker(self):
1042
1009
"""Start a new checker subprocess if one is not running.
1043
1010
1044
1011
If a checker already exists, leave it running and do
1045
1012
nothing."""
1046
1013
# The reason for not killing a running checker is that if we
1051
1018
# checkers alone, the checker would have to take more time
1052
1019
# than 'timeout' for the client to be disabled, which is as it
1053
1020
# should be.
1054
1021
1055
1022
if self.checker is not None and not self.checker.is_alive():
1056
1023
logger.warning("Checker was not alive; joining")
1057
1024
self.checker.join()
1061
1028
# Escape attributes for the shell
1062
1029
escaped_attrs = {
1063
1030
attr: re.escape(str(getattr(self, attr)))
1064
for attr in self.runtime_expansions}
1031
for attr in self.runtime_expansions }
1065
1032
try:
1066
1033
command = self.checker_command % escaped_attrs
1067
1034
except TypeError as error:
1079
1046
# The exception is when not debugging but nevertheless
1080
1047
# running in the foreground; use the previously
1081
1048
# created wnull.
1082
popen_args = {"close_fds": True,
1083
"shell": True,
1084
"cwd": "/"}
1049
popen_args = { "close_fds": True,
1050
"shell": True,
1051
"cwd": "/" }
1085
1052
if (not self.server_settings["debug"]
1086
1053
and self.server_settings["foreground"]):
1087
1054
popen_args.update({"stdout": wnull,
1088
"stderr": wnull})
1089
pipe = multiprocessing.Pipe(duplex=False)
1055
"stderr": wnull })
1056
pipe = multiprocessing.Pipe(duplex = False)
1090
1057
self.checker = multiprocessing.Process(
1091
target=call_pipe,
1092
args=(pipe[1], subprocess.call, command),
1093
kwargs=popen_args)
1058
target = call_pipe,
1059
args = (pipe[1], subprocess.call, command),
1060
kwargs = popen_args)
1094
1061
self.checker.start()
1095
1062
self.checker_callback_tag = GLib.io_add_watch(
1096
1063
pipe[0].fileno(), GLib.IO_IN,
1097
1064
self.checker_callback, pipe[0], command)
1098
1065
# Re-run this periodically if run by GLib.timeout_add
1099
1066
return True
1100
1067
1101
1068
def stop_checker(self):
1102
1069
"""Force the checker process, if any, to stop."""
1103
1070
if self.checker_callback_tag:
1116
1083
byte_arrays=False):
1117
1084
"""Decorators for marking methods of a DBusObjectWithProperties to
1118
1085
become properties on the D-Bus.
1119
1086
1120
1087
The decorated method will be called with no arguments by "Get"
1121
1088
and with one argument by "Set".
1122
1089
1123
1090
The parameters, where they are supported, are the same as
1124
1091
dbus.service.method, except there is only "signature", since the
1125
1092
type from Get() and the type sent to Set() is the same.
1129
1096
if byte_arrays and signature != "ay":
1130
1097
raise ValueError("Byte arrays not supported for non-'ay'"
1131
1098
" signature {!r}".format(signature))
1132
1099
1133
1100
def decorator(func):
1134
1101
func._dbus_is_property = True
1135
1102
func._dbus_interface = dbus_interface
1138
1105
func._dbus_name = func.__name__
1139
1106
if func._dbus_name.endswith("_dbus_property"):
1140
1107
func._dbus_name = func._dbus_name[:-14]
1141
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1108
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1142
1109
return func
1143
1110
1144
1111
return decorator
1145
1112
1146
1113
1147
1114
def dbus_interface_annotations(dbus_interface):
1148
1115
"""Decorator for marking functions returning interface annotations
1149
1116
1150
1117
Usage:
1151
1118
1152
1119
@dbus_interface_annotations("org.example.Interface")
1153
1120
def _foo(self): # Function name does not matter
1154
1121
return {"org.freedesktop.DBus.Deprecated": "true",
1155
1122
"org.freedesktop.DBus.Property.EmitsChangedSignal":
1156
1123
"false"}
1157
1124
"""
1158
1125
1159
1126
def decorator(func):
1160
1127
func._dbus_is_interface = True
1161
1128
func._dbus_interface = dbus_interface
1162
1129
func._dbus_name = dbus_interface
1163
1130
return func
1164
1131
1165
1132
return decorator
1166
1133
1167
1134
1168
1135
def dbus_annotations(annotations):
1169
1136
"""Decorator to annotate D-Bus methods, signals or properties
1170
1137
Usage:
1171
1138
1172
1139
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1173
1140
"org.freedesktop.DBus.Property."
1174
1141
"EmitsChangedSignal": "false"})
1176
1143
access="r")
1177
1144
def Property_dbus_property(self):
1178
1145
return dbus.Boolean(False)
1179
1146
1180
1147
See also the DBusObjectWithAnnotations class.
1181
1148
"""
1182
1149
1183
1150
def decorator(func):
1184
1151
func._dbus_annotations = annotations
1185
1152
return func
1186
1153
1187
1154
return decorator
1188
1155
1189
1156
1207
1174
1208
1175
class DBusObjectWithAnnotations(dbus.service.Object):
1209
1176
"""A D-Bus object with annotations.
1210
1177
1211
1178
Classes inheriting from this can use the dbus_annotations
1212
1179
decorator to add annotations to methods or signals.
1213
1180
"""
1214
1181
1215
1182
@staticmethod
1216
1183
def _is_dbus_thing(thing):
1217
1184
"""Returns a function testing if an attribute is a D-Bus thing
1218
1185
1219
1186
If called like _is_dbus_thing("method") it returns a function
1220
1187
suitable for use as predicate to inspect.getmembers().
1221
1188
"""
1222
1189
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
1223
1190
False)
1224
1191
1225
1192
def _get_all_dbus_things(self, thing):
1226
1193
"""Returns a generator of (name, attribute) pairs
1227
1194
"""
1230
1197
for cls in self.__class__.__mro__
1231
1198
for name, athing in
1232
1199
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1233
1200
1234
1201
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1235
out_signature="s",
1236
path_keyword='object_path',
1237
connection_keyword='connection')
1202
out_signature = "s",
1203
path_keyword = 'object_path',
1204
connection_keyword = 'connection')
1238
1205
def Introspect(self, object_path, connection):
1239
1206
"""Overloading of standard D-Bus method.
1240
1207
1241
1208
Inserts annotation tags on methods and signals.
1242
1209
"""
1243
1210
xmlstring = dbus.service.Object.Introspect(self, object_path,
1244
1211
connection)
1245
1212
try:
1246
1213
document = xml.dom.minidom.parseString(xmlstring)
1247
1214
1248
1215
for if_tag in document.getElementsByTagName("interface"):
1249
1216
# Add annotation tags
1250
1217
for typ in ("method", "signal"):
1277
1244
if_tag.appendChild(ann_tag)
1278
1245
# Fix argument name for the Introspect method itself
1279
1246
if (if_tag.getAttribute("name")
1280
== dbus.INTROSPECTABLE_IFACE):
1247
== dbus.INTROSPECTABLE_IFACE):
1281
1248
for cn in if_tag.getElementsByTagName("method"):
1282
1249
if cn.getAttribute("name") == "Introspect":
1283
1250
for arg in cn.getElementsByTagName("arg"):
1296
1263
1297
1264
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1298
1265
"""A D-Bus object with properties.
1299
1266
1300
1267
Classes inheriting from this can use the dbus_service_property
1301
1268
decorator to expose methods as D-Bus properties. It exposes the
1302
1269
standard Get(), Set(), and GetAll() methods on the D-Bus.
1303
1270
"""
1304
1271
1305
1272
def _get_dbus_property(self, interface_name, property_name):
1306
1273
"""Returns a bound method if one exists which is a D-Bus
1307
1274
property with the specified name and interface.
1312
1279
if (value._dbus_name == property_name
1313
1280
and value._dbus_interface == interface_name):
1314
1281
return value.__get__(self)
1315
1282
1316
1283
# No such property
1317
1284
raise DBusPropertyNotFound("{}:{}.{}".format(
1318
1285
self.dbus_object_path, interface_name, property_name))
1319
1286
1320
1287
@classmethod
1321
1288
def _get_all_interface_names(cls):
1322
1289
"""Get a sequence of all interfaces supported by an object"""
1325
1292
for x in (inspect.getmro(cls))
1326
1293
for attr in dir(x))
1327
1294
if name is not None)
1328
1295
1329
1296
@dbus.service.method(dbus.PROPERTIES_IFACE,
1330
1297
in_signature="ss",
1331
1298
out_signature="v")
1339
1306
if not hasattr(value, "variant_level"):
1340
1307
return value
1341
1308
return type(value)(value, variant_level=value.variant_level+1)
1342
1309
1343
1310
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1344
1311
def Set(self, interface_name, property_name, value):
1345
1312
"""Standard D-Bus property Set() method, see D-Bus standard.
1357
1324
value = dbus.ByteArray(b''.join(chr(byte)
1358
1325
for byte in value))
1359
1326
prop(value)
1360
1327
1361
1328
@dbus.service.method(dbus.PROPERTIES_IFACE,
1362
1329
in_signature="s",
1363
1330
out_signature="a{sv}")
1364
1331
def GetAll(self, interface_name):
1365
1332
"""Standard D-Bus property GetAll() method, see D-Bus
1366
1333
standard.
1367
1334
1368
1335
Note: Will not include properties with access="write".
1369
1336
"""
1370
1337
properties = {}
1381
1348
properties[name] = value
1382
1349
continue
1383
1350
properties[name] = type(value)(
1384
value, variant_level=value.variant_level + 1)
1351
value, variant_level = value.variant_level + 1)
1385
1352
return dbus.Dictionary(properties, signature="sv")
1386
1353
1387
1354
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1388
1355
def PropertiesChanged(self, interface_name, changed_properties,
1389
1356
invalidated_properties):
1391
1358
standard.
1392
1359
"""
1393
1360
pass
1394
1361
1395
1362
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1396
1363
out_signature="s",
1397
1364
path_keyword='object_path',
1398
1365
connection_keyword='connection')
1399
1366
def Introspect(self, object_path, connection):
1400
1367
"""Overloading of standard D-Bus method.
1401
1368
1402
1369
Inserts property tags and interface annotation tags.
1403
1370
"""
1404
1371
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1406
1373
connection)
1407
1374
try:
1408
1375
document = xml.dom.minidom.parseString(xmlstring)
1409
1376
1410
1377
def make_tag(document, name, prop):
1411
1378
e = document.createElement("property")
1412
1379
e.setAttribute("name", name)
1413
1380
e.setAttribute("type", prop._dbus_signature)
1414
1381
e.setAttribute("access", prop._dbus_access)
1415
1382
return e
1416
1383
1417
1384
for if_tag in document.getElementsByTagName("interface"):
1418
1385
# Add property tags
1419
1386
for tag in (make_tag(document, name, prop)
1461
1428
exc_info=error)
1462
1429
return xmlstring
1463
1430
1464
1465
1431
try:
1466
1432
dbus.OBJECT_MANAGER_IFACE
1467
1433
except AttributeError:
1468
1434
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1469
1435
1470
1471
1436
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1472
1437
"""A D-Bus object with an ObjectManager.
1473
1438
1474
1439
Classes inheriting from this exposes the standard
1475
1440
GetManagedObjects call and the InterfacesAdded and
1476
1441
InterfacesRemoved signals on the standard
1477
1442
"org.freedesktop.DBus.ObjectManager" interface.
1478
1443
1479
1444
Note: No signals are sent automatically; they must be sent
1480
1445
manually.
1481
1446
"""
1482
1447
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1483
out_signature="a{oa{sa{sv}}}")
1448
out_signature = "a{oa{sa{sv}}}")
1484
1449
def GetManagedObjects(self):
1485
1450
"""This function must be overridden"""
1486
1451
raise NotImplementedError()
1487
1452
1488
1453
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1489
signature="oa{sa{sv}}")
1454
signature = "oa{sa{sv}}")
1490
1455
def InterfacesAdded(self, object_path, interfaces_and_properties):
1491
1456
pass
1492
1493
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1457
1458
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1494
1459
def InterfacesRemoved(self, object_path, interfaces):
1495
1460
pass
1496
1461
1497
1462
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1498
out_signature="s",
1499
path_keyword='object_path',
1500
connection_keyword='connection')
1463
out_signature = "s",
1464
path_keyword = 'object_path',
1465
connection_keyword = 'connection')
1501
1466
def Introspect(self, object_path, connection):
1502
1467
"""Overloading of standard D-Bus method.
1503
1468
1504
1469
Override return argument name of GetManagedObjects to be
1505
1470
"objpath_interfaces_and_properties"
1506
1471
"""
1509
1474
connection)
1510
1475
try:
1511
1476
document = xml.dom.minidom.parseString(xmlstring)
1512
1477
1513
1478
for if_tag in document.getElementsByTagName("interface"):
1514
1479
# Fix argument name for the GetManagedObjects method
1515
1480
if (if_tag.getAttribute("name")
1516
== dbus.OBJECT_MANAGER_IFACE):
1481
== dbus.OBJECT_MANAGER_IFACE):
1517
1482
for cn in if_tag.getElementsByTagName("method"):
1518
1483
if (cn.getAttribute("name")
1519
1484
== "GetManagedObjects"):
1529
1494
except (AttributeError, xml.dom.DOMException,
1530
1495
xml.parsers.expat.ExpatError) as error:
1531
1496
logger.error("Failed to override Introspection method",
1532
exc_info=error)
1497
exc_info = error)
1533
1498
return xmlstring
1534
1499
1535
1536
1500
def datetime_to_dbus(dt, variant_level=0):
1537
1501
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1538
1502
if dt is None:
1539
return dbus.String("", variant_level=variant_level)
1503
return dbus.String("", variant_level = variant_level)
1540
1504
return dbus.String(dt.isoformat(), variant_level=variant_level)
1541
1505
1542
1506
1545
1509
dbus.service.Object, it will add alternate D-Bus attributes with
1546
1510
interface names according to the "alt_interface_names" mapping.
1547
1511
Usage:
1548
1512
1549
1513
@alternate_dbus_interfaces({"org.example.Interface":
1550
1514
"net.example.AlternateInterface"})
1551
1515
class SampleDBusObject(dbus.service.Object):
1552
1516
@dbus.service.method("org.example.Interface")
1553
1517
def SampleDBusMethod():
1554
1518
pass
1555
1519
1556
1520
The above "SampleDBusMethod" on "SampleDBusObject" will be
1557
1521
reachable via two interfaces: "org.example.Interface" and
1558
1522
"net.example.AlternateInterface", the latter of which will have
1559
1523
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1560
1524
"true", unless "deprecate" is passed with a False value.
1561
1525
1562
1526
This works for methods and signals, and also for D-Bus properties
1563
1527
(from DBusObjectWithProperties) and interfaces (from the
1564
1528
dbus_interface_annotations decorator).
1565
1529
"""
1566
1530
1567
1531
def wrapper(cls):
1568
1532
for orig_interface_name, alt_interface_name in (
1569
1533
alt_interface_names.items()):
1609
1573
attribute._dbus_annotations)
1610
1574
except AttributeError:
1611
1575
pass
1612
1613
1576
# Define a creator of a function to call both the
1614
1577
# original and alternate functions, so both the
1615
1578
# original and alternate signals gets sent when
1618
1581
"""This function is a scope container to pass
1619
1582
func1 and func2 to the "call_both" function
1620
1583
outside of its arguments"""
1621
1584
1622
1585
@functools.wraps(func2)
1623
1586
def call_both(*args, **kwargs):
1624
1587
"""This function will emit two D-Bus
1625
1588
signals by calling func1 and func2"""
1626
1589
func1(*args, **kwargs)
1627
1590
func2(*args, **kwargs)
1628
# Make wrapper function look like a D-Bus
1629
# signal
1591
# Make wrapper function look like a D-Bus signal
1630
1592
for name, attr in inspect.getmembers(func2):
1631
1593
if name.startswith("_dbus_"):
1632
1594
setattr(call_both, name, attr)
1633
1595
1634
1596
return call_both
1635
1597
# Create the "call_both" function and add it to
1636
1598
# the class
1682
1644
(copy_function(attribute)))
1683
1645
if deprecate:
1684
1646
# Deprecate all alternate interfaces
1685
iname = "_AlternateDBusNames_interface_annotation{}"
1647
iname="_AlternateDBusNames_interface_annotation{}"
1686
1648
for interface_name in interface_names:
1687
1649
1688
1650
@dbus_interface_annotations(interface_name)
1689
1651
def func(self):
1690
return {"org.freedesktop.DBus.Deprecated":
1691
"true"}
1652
return { "org.freedesktop.DBus.Deprecated":
1653
"true" }
1692
1654
# Find an unused name
1693
1655
for aname in (iname.format(i)
1694
1656
for i in itertools.count()):
1705
1667
cls = type("{}Alternate".format(cls.__name__),
1706
1668
(cls, ), attr)
1707
1669
return cls
1708
1670
1709
1671
return wrapper
1710
1672
1711
1673
1713
1675
"se.bsnet.fukt.Mandos"})
1714
1676
class ClientDBus(Client, DBusObjectWithProperties):
1715
1677
"""A Client class using D-Bus
1716
1678
1717
1679
Attributes:
1718
1680
dbus_object_path: dbus.ObjectPath
1719
1681
bus: dbus.SystemBus()
1720
1682
"""
1721
1683
1722
1684
runtime_expansions = (Client.runtime_expansions
1723
1685
+ ("dbus_object_path", ))
1724
1686
1725
1687
_interface = "se.recompile.Mandos.Client"
1726
1688
1727
1689
# dbus.service.Object doesn't use super(), so we can't either.
1728
1729
def __init__(self, bus=None, *args, **kwargs):
1690
1691
def __init__(self, bus = None, *args, **kwargs):
1730
1692
self.bus = bus
1731
1693
Client.__init__(self, *args, **kwargs)
1732
1694
# Only now, when this client is initialized, can it show up on
1738
1700
"/clients/" + client_object_name)
1739
1701
DBusObjectWithProperties.__init__(self, self.bus,
1740
1702
self.dbus_object_path)
1741
1703
1742
1704
def notifychangeproperty(transform_func, dbus_name,
1743
1705
type_func=lambda x: x,
1744
1706
variant_level=1,
1746
1708
_interface=_interface):
1747
1709
""" Modify a variable so that it's a property which announces
1748
1710
its changes to DBus.
1749
1711
1750
1712
transform_fun: Function that takes a value and a variant_level
1751
1713
and transforms it to a D-Bus type.
1752
1714
dbus_name: D-Bus name of the variable
1755
1717
variant_level: D-Bus variant level. Default: 1
1756
1718
"""
1757
1719
attrname = "_{}".format(dbus_name)
1758
1720
1759
1721
def setter(self, value):
1760
1722
if hasattr(self, "dbus_object_path"):
1761
1723
if (not hasattr(self, attrname) or
1768
1730
else:
1769
1731
dbus_value = transform_func(
1770
1732
type_func(value),
1771
variant_level=variant_level)
1733
variant_level = variant_level)
1772
1734
self.PropertyChanged(dbus.String(dbus_name),
1773
1735
dbus_value)
1774
1736
self.PropertiesChanged(
1775
1737
_interface,
1776
dbus.Dictionary({dbus.String(dbus_name):
1777
dbus_value}),
1738
dbus.Dictionary({ dbus.String(dbus_name):
1739
dbus_value }),
1778
1740
dbus.Array())
1779
1741
setattr(self, attrname, value)
1780
1742
1781
1743
return property(lambda self: getattr(self, attrname), setter)
1782
1744
1783
1745
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1784
1746
approvals_pending = notifychangeproperty(dbus.Boolean,
1785
1747
"ApprovalPending",
1786
type_func=bool)
1748
type_func = bool)
1787
1749
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1788
1750
last_enabled = notifychangeproperty(datetime_to_dbus,
1789
1751
"LastEnabled")
1790
1752
checker = notifychangeproperty(
1791
1753
dbus.Boolean, "CheckerRunning",
1792
type_func=lambda checker: checker is not None)
1754
type_func = lambda checker: checker is not None)
1793
1755
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1794
1756
"LastCheckedOK")
1795
1757
last_checker_status = notifychangeproperty(dbus.Int16,
1800
1762
"ApprovedByDefault")
1801
1763
approval_delay = notifychangeproperty(
1802
1764
dbus.UInt64, "ApprovalDelay",
1803
type_func=lambda td: td.total_seconds() * 1000)
1765
type_func = lambda td: td.total_seconds() * 1000)
1804
1766
approval_duration = notifychangeproperty(
1805
1767
dbus.UInt64, "ApprovalDuration",
1806
type_func=lambda td: td.total_seconds() * 1000)
1768
type_func = lambda td: td.total_seconds() * 1000)
1807
1769
host = notifychangeproperty(dbus.String, "Host")
1808
1770
timeout = notifychangeproperty(
1809
1771
dbus.UInt64, "Timeout",
1810
type_func=lambda td: td.total_seconds() * 1000)
1772
type_func = lambda td: td.total_seconds() * 1000)
1811
1773
extended_timeout = notifychangeproperty(
1812
1774
dbus.UInt64, "ExtendedTimeout",
1813
type_func=lambda td: td.total_seconds() * 1000)
1775
type_func = lambda td: td.total_seconds() * 1000)
1814
1776
interval = notifychangeproperty(
1815
1777
dbus.UInt64, "Interval",
1816
type_func=lambda td: td.total_seconds() * 1000)
1778
type_func = lambda td: td.total_seconds() * 1000)
1817
1779
checker_command = notifychangeproperty(dbus.String, "Checker")
1818
1780
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1819
1781
invalidate_only=True)
1820
1782
1821
1783
del notifychangeproperty
1822
1784
1823
1785
def __del__(self, *args, **kwargs):
1824
1786
try:
1825
1787
self.remove_from_connection()
1828
1790
if hasattr(DBusObjectWithProperties, "__del__"):
1829
1791
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1830
1792
Client.__del__(self, *args, **kwargs)
1831
1793
1832
1794
def checker_callback(self, source, condition,
1833
1795
connection, command, *args, **kwargs):
1834
1796
ret = Client.checker_callback(self, source, condition,
1850
1812
| self.last_checker_signal),
1851
1813
dbus.String(command))
1852
1814
return ret
1853
1815
1854
1816
def start_checker(self, *args, **kwargs):
1855
1817
old_checker_pid = getattr(self.checker, "pid", None)
1856
1818
r = Client.start_checker(self, *args, **kwargs)
1860
1822
# Emit D-Bus signal
1861
1823
self.CheckerStarted(self.current_checker_command)
1862
1824
return r
1863
1825
1864
1826
def _reset_approved(self):
1865
1827
self.approved = None
1866
1828
return False
1867
1829
1868
1830
def approve(self, value=True):
1869
1831
self.approved = value
1870
1832
GLib.timeout_add(int(self.approval_duration.total_seconds()
1871
1833
* 1000), self._reset_approved)
1872
1834
self.send_changedstate()
1873
1874
# D-Bus methods, signals & properties
1875
1876
# Interfaces
1877
1878
# Signals
1879
1835
1836
## D-Bus methods, signals & properties
1837
1838
## Interfaces
1839
1840
## Signals
1841
1880
1842
# CheckerCompleted - signal
1881
1843
@dbus.service.signal(_interface, signature="nxs")
1882
1844
def CheckerCompleted(self, exitcode, waitstatus, command):
1883
1845
"D-Bus signal"
1884
1846
pass
1885
1847
1886
1848
# CheckerStarted - signal
1887
1849
@dbus.service.signal(_interface, signature="s")
1888
1850
def CheckerStarted(self, command):
1889
1851
"D-Bus signal"
1890
1852
pass
1891
1853
1892
1854
# PropertyChanged - signal
1893
1855
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1894
1856
@dbus.service.signal(_interface, signature="sv")
1895
1857
def PropertyChanged(self, property, value):
1896
1858
"D-Bus signal"
1897
1859
pass
1898
1860
1899
1861
# GotSecret - signal
1900
1862
@dbus.service.signal(_interface)
1901
1863
def GotSecret(self):
1904
1866
server to mandos-client
1905
1867
"""
1906
1868
pass
1907
1869
1908
1870
# Rejected - signal
1909
1871
@dbus.service.signal(_interface, signature="s")
1910
1872
def Rejected(self, reason):
1911
1873
"D-Bus signal"
1912
1874
pass
1913
1875
1914
1876
# NeedApproval - signal
1915
1877
@dbus.service.signal(_interface, signature="tb")
1916
1878
def NeedApproval(self, timeout, default):
1917
1879
"D-Bus signal"
1918
1880
return self.need_approval()
1919
1920
# Methods
1921
1881
1882
## Methods
1883
1922
1884
# Approve - method
1923
1885
@dbus.service.method(_interface, in_signature="b")
1924
1886
def Approve(self, value):
1925
1887
self.approve(value)
1926
1888
1927
1889
# CheckedOK - method
1928
1890
@dbus.service.method(_interface)
1929
1891
def CheckedOK(self):
1930
1892
self.checked_ok()
1931
1893
1932
1894
# Enable - method
1933
1895
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1934
1896
@dbus.service.method(_interface)
1935
1897
def Enable(self):
1936
1898
"D-Bus method"
1937
1899
self.enable()
1938
1900
1939
1901
# StartChecker - method
1940
1902
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1941
1903
@dbus.service.method(_interface)
1942
1904
def StartChecker(self):
1943
1905
"D-Bus method"
1944
1906
self.start_checker()
1945
1907
1946
1908
# Disable - method
1947
1909
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1948
1910
@dbus.service.method(_interface)
1949
1911
def Disable(self):
1950
1912
"D-Bus method"
1951
1913
self.disable()
1952
1914
1953
1915
# StopChecker - method
1954
1916
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1955
1917
@dbus.service.method(_interface)
1956
1918
def StopChecker(self):
1957
1919
self.stop_checker()
1958
1959
# Properties
1960
1920
1921
## Properties
1922
1961
1923
# ApprovalPending - property
1962
1924
@dbus_service_property(_interface, signature="b", access="read")
1963
1925
def ApprovalPending_dbus_property(self):
1964
1926
return dbus.Boolean(bool(self.approvals_pending))
1965
1927
1966
1928
# ApprovedByDefault - property
1967
1929
@dbus_service_property(_interface,
1968
1930
signature="b",
1971
1933
if value is None: # get
1972
1934
return dbus.Boolean(self.approved_by_default)
1973
1935
self.approved_by_default = bool(value)
1974
1936
1975
1937
# ApprovalDelay - property
1976
1938
@dbus_service_property(_interface,
1977
1939
signature="t",
1981
1943
return dbus.UInt64(self.approval_delay.total_seconds()
1982
1944
* 1000)
1983
1945
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1984
1946
1985
1947
# ApprovalDuration - property
1986
1948
@dbus_service_property(_interface,
1987
1949
signature="t",
1991
1953
return dbus.UInt64(self.approval_duration.total_seconds()
1992
1954
* 1000)
1993
1955
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1994
1956
1995
1957
# Name - property
1996
1958
@dbus_annotations(
1997
1959
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1998
1960
@dbus_service_property(_interface, signature="s", access="read")
1999
1961
def Name_dbus_property(self):
2000
1962
return dbus.String(self.name)
2001
1963
2002
1964
# Fingerprint - property
2003
1965
@dbus_annotations(
2004
1966
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2005
1967
@dbus_service_property(_interface, signature="s", access="read")
2006
1968
def Fingerprint_dbus_property(self):
2007
1969
return dbus.String(self.fingerprint)
2008
1970
2009
1971
# Host - property
2010
1972
@dbus_service_property(_interface,
2011
1973
signature="s",
2014
1976
if value is None: # get
2015
1977
return dbus.String(self.host)
2016
1978
self.host = str(value)
2017
1979
2018
1980
# Created - property
2019
1981
@dbus_annotations(
2020
1982
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2021
1983
@dbus_service_property(_interface, signature="s", access="read")
2022
1984
def Created_dbus_property(self):
2023
1985
return datetime_to_dbus(self.created)
2024
1986
2025
1987
# LastEnabled - property
2026
1988
@dbus_service_property(_interface, signature="s", access="read")
2027
1989
def LastEnabled_dbus_property(self):
2028
1990
return datetime_to_dbus(self.last_enabled)
2029
1991
2030
1992
# Enabled - property
2031
1993
@dbus_service_property(_interface,
2032
1994
signature="b",
2038
2000
self.enable()
2039
2001
else:
2040
2002
self.disable()
2041
2003
2042
2004
# LastCheckedOK - property
2043
2005
@dbus_service_property(_interface,
2044
2006
signature="s",
2048
2010
self.checked_ok()
2049
2011
return
2050
2012
return datetime_to_dbus(self.last_checked_ok)
2051
2013
2052
2014
# LastCheckerStatus - property
2053
2015
@dbus_service_property(_interface, signature="n", access="read")
2054
2016
def LastCheckerStatus_dbus_property(self):
2055
2017
return dbus.Int16(self.last_checker_status)
2056
2018
2057
2019
# Expires - property
2058
2020
@dbus_service_property(_interface, signature="s", access="read")
2059
2021
def Expires_dbus_property(self):
2060
2022
return datetime_to_dbus(self.expires)
2061
2023
2062
2024
# LastApprovalRequest - property
2063
2025
@dbus_service_property(_interface, signature="s", access="read")
2064
2026
def LastApprovalRequest_dbus_property(self):
2065
2027
return datetime_to_dbus(self.last_approval_request)
2066
2028
2067
2029
# Timeout - property
2068
2030
@dbus_service_property(_interface,
2069
2031
signature="t",
2088
2050
self.disable_initiator_tag = GLib.timeout_add(
2089
2051
int((self.expires - now).total_seconds() * 1000),
2090
2052
self.disable)
2091
2053
2092
2054
# ExtendedTimeout - property
2093
2055
@dbus_service_property(_interface,
2094
2056
signature="t",
2098
2060
return dbus.UInt64(self.extended_timeout.total_seconds()
2099
2061
* 1000)
2100
2062
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
2101
2063
2102
2064
# Interval - property
2103
2065
@dbus_service_property(_interface,
2104
2066
signature="t",
2114
2076
GLib.source_remove(self.checker_initiator_tag)
2115
2077
self.checker_initiator_tag = GLib.timeout_add(
2116
2078
value, self.start_checker)
2117
self.start_checker() # Start one now, too
2118
2079
self.start_checker() # Start one now, too
2080
2119
2081
# Checker - property
2120
2082
@dbus_service_property(_interface,
2121
2083
signature="s",
2124
2086
if value is None: # get
2125
2087
return dbus.String(self.checker_command)
2126
2088
self.checker_command = str(value)
2127
2089
2128
2090
# CheckerRunning - property
2129
2091
@dbus_service_property(_interface,
2130
2092
signature="b",
2136
2098
self.start_checker()
2137
2099
else:
2138
2100
self.stop_checker()
2139
2101
2140
2102
# ObjectPath - property
2141
2103
@dbus_annotations(
2142
2104
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2143
2105
"org.freedesktop.DBus.Deprecated": "true"})
2144
2106
@dbus_service_property(_interface, signature="o", access="read")
2145
2107
def ObjectPath_dbus_property(self):
2146
return self.dbus_object_path # is already a dbus.ObjectPath
2147
2108
return self.dbus_object_path # is already a dbus.ObjectPath
2109
2148
2110
# Secret = property
2149
2111
@dbus_annotations(
2150
2112
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2155
2117
byte_arrays=True)
2156
2118
def Secret_dbus_property(self, value):
2157
2119
self.secret = bytes(value)
2158
2120
2159
2121
del _interface
2160
2122
2161
2123
2165
2127
self._pipe.send(('init', fpr, address))
2166
2128
if not self._pipe.recv():
2167
2129
raise KeyError(fpr)
2168
2130
2169
2131
def __getattribute__(self, name):
2170
2132
if name == '_pipe':
2171
2133
return super(ProxyClient, self).__getattribute__(name)
2174
2136
if data[0] == 'data':
2175
2137
return data[1]
2176
2138
if data[0] == 'function':
2177
2139
2178
2140
def func(*args, **kwargs):
2179
2141
self._pipe.send(('funcall', name, args, kwargs))
2180
2142
return self._pipe.recv()[1]
2181
2143
2182
2144
return func
2183
2145
2184
2146
def __setattr__(self, name, value):
2185
2147
if name == '_pipe':
2186
2148
return super(ProxyClient, self).__setattr__(name, value)
2189
2151
2190
2152
class ClientHandler(socketserver.BaseRequestHandler, object):
2191
2153
"""A class to handle client connections.
2192
2154
2193
2155
Instantiated once for each connection to handle it.
2194
2156
Note: This will run in its own forked process."""
2195
2157
2196
2158
def handle(self):
2197
2159
with contextlib.closing(self.server.child_pipe) as child_pipe:
2198
2160
logger.info("TCP connection from: %s",
2199
2161
str(self.client_address))
2200
2162
logger.debug("Pipe FD: %d",
2201
2163
self.server.child_pipe.fileno())
2202
2164
2203
2165
session = gnutls.ClientSession(self.request)
2204
2205
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2206
# "+AES-256-CBC", "+SHA1",
2207
# "+COMP-NULL", "+CTYPE-OPENPGP",
2208
# "+DHE-DSS"))
2166
2167
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
2168
# "+AES-256-CBC", "+SHA1",
2169
# "+COMP-NULL", "+CTYPE-OPENPGP",
2170
# "+DHE-DSS"))
2209
2171
# Use a fallback default, since this MUST be set.
2210
2172
priority = self.server.gnutls_priority
2211
2173
if priority is None:
2212
2174
priority = "NORMAL"
2213
gnutls.priority_set_direct(session._c_object,
2214
priority.encode("utf-8"),
2175
gnutls.priority_set_direct(session._c_object, priority,
2215
2176
None)
2216
2177
2217
2178
# Start communication using the Mandos protocol
2218
2179
# Get protocol number
2219
2180
line = self.request.makefile().readline()
2224
2185
except (ValueError, IndexError, RuntimeError) as error:
2225
2186
logger.error("Unknown protocol version: %s", error)
2226
2187
return
2227
2188
2228
2189
# Start GnuTLS connection
2229
2190
try:
2230
2191
session.handshake()
2234
2195
# established. Just abandon the request.
2235
2196
return
2236
2197
logger.debug("Handshake succeeded")
2237
2198
2238
2199
approval_required = False
2239
2200
try:
2240
2201
try:
2244
2205
logger.warning("Bad certificate: %s", error)
2245
2206
return
2246
2207
logger.debug("Fingerprint: %s", fpr)
2247
2208
2248
2209
try:
2249
2210
client = ProxyClient(child_pipe, fpr,
2250
2211
self.client_address)
2251
2212
except KeyError:
2252
2213
return
2253
2214
2254
2215
if client.approval_delay:
2255
2216
delay = client.approval_delay
2256
2217
client.approvals_pending += 1
2257
2218
approval_required = True
2258
2219
2259
2220
while True:
2260
2221
if not client.enabled:
2261
2222
logger.info("Client %s is disabled",
2264
2225
# Emit D-Bus signal
2265
2226
client.Rejected("Disabled")
2266
2227
return
2267
2228
2268
2229
if client.approved or not client.approval_delay:
2269
# We are approved or approval is disabled
2230
#We are approved or approval is disabled
2270
2231
break
2271
2232
elif client.approved is None:
2272
2233
logger.info("Client %s needs approval",
2283
2244
# Emit D-Bus signal
2284
2245
client.Rejected("Denied")
2285
2246
return
2286
2287
# wait until timeout or approved
2247
2248
#wait until timeout or approved
2288
2249
time = datetime.datetime.now()
2289
2250
client.changedstate.acquire()
2290
2251
client.changedstate.wait(delay.total_seconds())
2303
2264
break
2304
2265
else:
2305
2266
delay -= time2 - time
2306
2267
2307
2268
try:
2308
2269
session.send(client.secret)
2309
2270
except gnutls.Error as error:
2310
2271
logger.warning("gnutls send failed",
2311
exc_info=error)
2272
exc_info = error)
2312
2273
return
2313
2274
2314
2275
logger.info("Sending secret to %s", client.name)
2315
2276
# bump the timeout using extended_timeout
2316
2277
client.bump_timeout(client.extended_timeout)
2317
2278
if self.server.use_dbus:
2318
2279
# Emit D-Bus signal
2319
2280
client.GotSecret()
2320
2281
2321
2282
finally:
2322
2283
if approval_required:
2323
2284
client.approvals_pending -= 1
2326
2287
except gnutls.Error as error:
2327
2288
logger.warning("GnuTLS bye failed",
2328
2289
exc_info=error)
2329
2290
2330
2291
@staticmethod
2331
2292
def peer_certificate(session):
2332
2293
"Return the peer's OpenPGP certificate as a bytestring"
2344
2305
return None
2345
2306
cert = cert_list[0]
2346
2307
return ctypes.string_at(cert.data, cert.size)
2347
2308
2348
2309
@staticmethod
2349
2310
def fingerprint(openpgp):
2350
2311
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2365
2326
ctypes.byref(crtverify))
2366
2327
if crtverify.value != 0:
2367
2328
gnutls.openpgp_crt_deinit(crt)
2368
raise gnutls.CertificateSecurityError(code
2369
=crtverify.value)
2329
raise gnutls.CertificateSecurityError("Verify failed")
2370
2330
# New buffer for the fingerprint
2371
2331
buf = ctypes.create_string_buffer(20)
2372
2332
buf_len = ctypes.c_size_t()
2384
2344
2385
2345
class MultiprocessingMixIn(object):
2386
2346
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2387
2347
2388
2348
def sub_process_main(self, request, address):
2389
2349
try:
2390
2350
self.finish_request(request, address)
2391
2351
except Exception:
2392
2352
self.handle_error(request, address)
2393
2353
self.close_request(request)
2394
2354
2395
2355
def process_request(self, request, address):
2396
2356
"""Start a new process to process the request."""
2397
proc = multiprocessing.Process(target=self.sub_process_main,
2398
args=(request, address))
2357
proc = multiprocessing.Process(target = self.sub_process_main,
2358
args = (request, address))
2399
2359
proc.start()
2400
2360
return proc
2401
2361
2402
2362
2403
2363
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2404
2364
""" adds a pipe to the MixIn """
2405
2365
2406
2366
def process_request(self, request, client_address):
2407
2367
"""Overrides and wraps the original process_request().
2408
2368
2409
2369
This function creates a new pipe in self.pipe
2410
2370
"""
2411
2371
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2412
2372
2413
2373
proc = MultiprocessingMixIn.process_request(self, request,
2414
2374
client_address)
2415
2375
self.child_pipe.close()
2416
2376
self.add_pipe(parent_pipe, proc)
2417
2377
2418
2378
def add_pipe(self, parent_pipe, proc):
2419
2379
"""Dummy function; override as necessary"""
2420
2380
raise NotImplementedError()
2423
2383
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2424
2384
socketserver.TCPServer, object):
2425
2385
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2426
2386
2427
2387
Attributes:
2428
2388
enabled: Boolean; whether this server is activated yet
2429
2389
interface: None or a network interface name (string)
2430
2390
use_ipv6: Boolean; to use IPv6 or not
2431
2391
"""
2432
2392
2433
2393
def __init__(self, server_address, RequestHandlerClass,
2434
2394
interface=None,
2435
2395
use_ipv6=True,
2445
2405
self.socketfd = socketfd
2446
2406
# Save the original socket.socket() function
2447
2407
self.socket_socket = socket.socket
2448
2449
2408
# To implement --socket, we monkey patch socket.socket.
2450
#
2409
#
2451
2410
# (When socketserver.TCPServer is a new-style class, we
2452
2411
# could make self.socket into a property instead of monkey
2453
2412
# patching socket.socket.)
2454
#
2413
#
2455
2414
# Create a one-time-only replacement for socket.socket()
2456
2415
@functools.wraps(socket.socket)
2457
2416
def socket_wrapper(*args, **kwargs):
2469
2428
# socket_wrapper(), if socketfd was set.
2470
2429
socketserver.TCPServer.__init__(self, server_address,
2471
2430
RequestHandlerClass)
2472
2431
2473
2432
def server_bind(self):
2474
2433
"""This overrides the normal server_bind() function
2475
2434
to bind to an interface if one was specified, and also NOT to
2476
2435
bind to an address or port if they were not specified."""
2477
global SO_BINDTODEVICE
2478
2436
if self.interface is not None:
2479
2437
if SO_BINDTODEVICE is None:
2480
# Fall back to a hard-coded value which seems to be
2481
# common enough.
2482
logger.warning("SO_BINDTODEVICE not found, trying 25")
2483
SO_BINDTODEVICE = 25
2484
try:
2485
self.socket.setsockopt(
2486
socket.SOL_SOCKET, SO_BINDTODEVICE,
2487
(self.interface + "\0").encode("utf-8"))
2488
except socket.error as error:
2489
if error.errno == errno.EPERM:
2490
logger.error("No permission to bind to"
2491
" interface %s", self.interface)
2492
elif error.errno == errno.ENOPROTOOPT:
2493
logger.error("SO_BINDTODEVICE not available;"
2494
" cannot bind to interface %s",
2495
self.interface)
2496
elif error.errno == errno.ENODEV:
2497
logger.error("Interface %s does not exist,"
2498
" cannot bind", self.interface)
2499
else:
2500
raise
2438
logger.error("SO_BINDTODEVICE does not exist;"
2439
" cannot bind to interface %s",
2440
self.interface)
2441
else:
2442
try:
2443
self.socket.setsockopt(
2444
socket.SOL_SOCKET, SO_BINDTODEVICE,
2445
(self.interface + "\0").encode("utf-8"))
2446
except socket.error as error:
2447
if error.errno == errno.EPERM:
2448
logger.error("No permission to bind to"
2449
" interface %s", self.interface)
2450
elif error.errno == errno.ENOPROTOOPT:
2451
logger.error("SO_BINDTODEVICE not available;"
2452
" cannot bind to interface %s",
2453
self.interface)
2454
elif error.errno == errno.ENODEV:
2455
logger.error("Interface %s does not exist,"
2456
" cannot bind", self.interface)
2457
else:
2458
raise
2501
2459
# Only bind(2) the socket if we really need to.
2502
2460
if self.server_address[0] or self.server_address[1]:
2503
2461
if not self.server_address[0]:
2504
2462
if self.address_family == socket.AF_INET6:
2505
any_address = "::" # in6addr_any
2463
any_address = "::" # in6addr_any
2506
2464
else:
2507
any_address = "0.0.0.0" # INADDR_ANY
2465
any_address = "0.0.0.0" # INADDR_ANY
2508
2466
self.server_address = (any_address,
2509
2467
self.server_address[1])
2510
2468
elif not self.server_address[1]:
2520
2478
2521
2479
class MandosServer(IPv6_TCPServer):
2522
2480
"""Mandos server.
2523
2481
2524
2482
Attributes:
2525
2483
clients: set of Client objects
2526
2484
gnutls_priority GnuTLS priority string
2527
2485
use_dbus: Boolean; to emit D-Bus signals or not
2528
2486
2529
2487
Assumes a GLib.MainLoop event loop.
2530
2488
"""
2531
2489
2532
2490
def __init__(self, server_address, RequestHandlerClass,
2533
2491
interface=None,
2534
2492
use_ipv6=True,
2544
2502
self.gnutls_priority = gnutls_priority
2545
2503
IPv6_TCPServer.__init__(self, server_address,
2546
2504
RequestHandlerClass,
2547
interface=interface,
2548
use_ipv6=use_ipv6,
2549
socketfd=socketfd)
2550
2505
interface = interface,
2506
use_ipv6 = use_ipv6,
2507
socketfd = socketfd)
2508
2551
2509
def server_activate(self):
2552
2510
if self.enabled:
2553
2511
return socketserver.TCPServer.server_activate(self)
2554
2512
2555
2513
def enable(self):
2556
2514
self.enabled = True
2557
2515
2558
2516
def add_pipe(self, parent_pipe, proc):
2559
2517
# Call "handle_ipc" for both data and EOF events
2560
2518
GLib.io_add_watch(
2561
2519
parent_pipe.fileno(),
2562
2520
GLib.IO_IN | GLib.IO_HUP,
2563
2521
functools.partial(self.handle_ipc,
2564
parent_pipe=parent_pipe,
2565
proc=proc))
2566
2522
parent_pipe = parent_pipe,
2523
proc = proc))
2524
2567
2525
def handle_ipc(self, source, condition,
2568
2526
parent_pipe=None,
2569
proc=None,
2527
proc = None,
2570
2528
client_object=None):
2571
2529
# error, or the other end of multiprocessing.Pipe has closed
2572
2530
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2573
2531
# Wait for other process to exit
2574
2532
proc.join()
2575
2533
return False
2576
2534
2577
2535
# Read a request from the child
2578
2536
request = parent_pipe.recv()
2579
2537
command = request[0]
2580
2538
2581
2539
if command == 'init':
2582
fpr = request[1].decode("ascii")
2540
fpr = request[1]
2583
2541
address = request[2]
2584
2542
2585
2543
for c in self.clients.values():
2586
2544
if c.fingerprint == fpr:
2587
2545
client = c
2595
2553
address[0])
2596
2554
parent_pipe.send(False)
2597
2555
return False
2598
2556
2599
2557
GLib.io_add_watch(
2600
2558
parent_pipe.fileno(),
2601
2559
GLib.IO_IN | GLib.IO_HUP,
2602
2560
functools.partial(self.handle_ipc,
2603
parent_pipe=parent_pipe,
2604
proc=proc,
2605
client_object=client))
2561
parent_pipe = parent_pipe,
2562
proc = proc,
2563
client_object = client))
2606
2564
parent_pipe.send(True)
2607
2565
# remove the old hook in favor of the new above hook on
2608
2566
# same fileno
2611
2569
funcname = request[1]
2612
2570
args = request[2]
2613
2571
kwargs = request[3]
2614
2572
2615
2573
parent_pipe.send(('data', getattr(client_object,
2616
2574
funcname)(*args,
2617
2575
**kwargs)))
2618
2576
2619
2577
if command == 'getattr':
2620
2578
attrname = request[1]
2621
2579
if isinstance(client_object.__getattribute__(attrname),
2624
2582
else:
2625
2583
parent_pipe.send((
2626
2584
'data', client_object.__getattribute__(attrname)))
2627
2585
2628
2586
if command == 'setattr':
2629
2587
attrname = request[1]
2630
2588
value = request[2]
2631
2589
setattr(client_object, attrname, value)
2632
2590
2633
2591
return True
2634
2592
2635
2593
2636
2594
def rfc3339_duration_to_delta(duration):
2637
2595
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2638
2596
2639
2597
>>> rfc3339_duration_to_delta("P7D")
2640
2598
datetime.timedelta(7)
2641
2599
>>> rfc3339_duration_to_delta("PT60S")
2651
2609
>>> rfc3339_duration_to_delta("P1DT3M20S")
2652
2610
datetime.timedelta(1, 200)
2653
2611
"""
2654
2612
2655
2613
# Parsing an RFC 3339 duration with regular expressions is not
2656
2614
# possible - there would have to be multiple places for the same
2657
2615
# values, like seconds. The current code, while more esoteric, is
2658
2616
# cleaner without depending on a parsing library. If Python had a
2659
2617
# built-in library for parsing we would use it, but we'd like to
2660
2618
# avoid excessive use of external libraries.
2661
2619
2662
2620
# New type for defining tokens, syntax, and semantics all-in-one
2663
2621
Token = collections.namedtuple("Token", (
2664
2622
"regexp", # To match token; if "value" is not None, must have
2697
2655
frozenset((token_year, token_month,
2698
2656
token_day, token_time,
2699
2657
token_week)))
2700
# Define starting values:
2701
# Value so far
2702
value = datetime.timedelta()
2658
# Define starting values
2659
value = datetime.timedelta() # Value so far
2703
2660
found_token = None
2704
# Following valid tokens
2705
followers = frozenset((token_duration, ))
2706
# String left to parse
2707
s = duration
2661
followers = frozenset((token_duration, )) # Following valid tokens
2662
s = duration # String left to parse
2708
2663
# Loop until end token is found
2709
2664
while found_token is not token_end:
2710
2665
# Search for any currently valid tokens
2734
2689
2735
2690
def string_to_delta(interval):
2736
2691
"""Parse a string and return a datetime.timedelta
2737
2692
2738
2693
>>> string_to_delta('7d')
2739
2694
datetime.timedelta(7)
2740
2695
>>> string_to_delta('60s')
2748
2703
>>> string_to_delta('5m 30s')
2749
2704
datetime.timedelta(0, 330)
2750
2705
"""
2751
2706
2752
2707
try:
2753
2708
return rfc3339_duration_to_delta(interval)
2754
2709
except ValueError:
2755
2710
pass
2756
2711
2757
2712
timevalue = datetime.timedelta(0)
2758
2713
for s in interval.split():
2759
2714
try:
2777
2732
return timevalue
2778
2733
2779
2734
2780
def daemon(nochdir=False, noclose=False):
2735
def daemon(nochdir = False, noclose = False):
2781
2736
"""See daemon(3). Standard BSD Unix function.
2782
2737
2783
2738
This should really exist as os.daemon, but it doesn't (yet)."""
2784
2739
if os.fork():
2785
2740
sys.exit()
2803
2758
2804
2759
2805
2760
def main():
2806
2761
2807
2762
##################################################################
2808
2763
# Parsing of options, both command line and config file
2809
2764
2810
2765
parser = argparse.ArgumentParser()
2811
2766
parser.add_argument("-v", "--version", action="version",
2812
version="%(prog)s {}".format(version),
2767
version = "%(prog)s {}".format(version),
2813
2768
help="show version number and exit")
2814
2769
parser.add_argument("-i", "--interface", metavar="IF",
2815
2770
help="Bind to interface IF")
2851
2806
parser.add_argument("--no-zeroconf", action="store_false",
2852
2807
dest="zeroconf", help="Do not use Zeroconf",
2853
2808
default=None)
2854
2809
2855
2810
options = parser.parse_args()
2856
2811
2857
2812
if options.check:
2858
2813
import doctest
2859
2814
fail_count, test_count = doctest.testmod()
2860
2815
sys.exit(os.EX_OK if fail_count == 0 else 1)
2861
2816
2862
2817
# Default values for config file for server-global settings
2863
server_defaults = {"interface": "",
2864
"address": "",
2865
"port": "",
2866
"debug": "False",
2867
"priority":
2868
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2869
":+SIGN-DSA-SHA256",
2870
"servicename": "Mandos",
2871
"use_dbus": "True",
2872
"use_ipv6": "True",
2873
"debuglevel": "",
2874
"restore": "True",
2875
"socket": "",
2876
"statedir": "/var/lib/mandos",
2877
"foreground": "False",
2878
"zeroconf": "True",
2879
}
2880
2818
server_defaults = { "interface": "",
2819
"address": "",
2820
"port": "",
2821
"debug": "False",
2822
"priority":
2823
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2824
":+SIGN-DSA-SHA256",
2825
"servicename": "Mandos",
2826
"use_dbus": "True",
2827
"use_ipv6": "True",
2828
"debuglevel": "",
2829
"restore": "True",
2830
"socket": "",
2831
"statedir": "/var/lib/mandos",
2832
"foreground": "False",
2833
"zeroconf": "True",
2834
}
2835
2881
2836
# Parse config file for server-global settings
2882
2837
server_config = configparser.SafeConfigParser(server_defaults)
2883
2838
del server_defaults
2885
2840
# Convert the SafeConfigParser object to a dict
2886
2841
server_settings = server_config.defaults()
2887
2842
# Use the appropriate methods on the non-string config options
2888
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2889
"foreground", "zeroconf"):
2843
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2890
2844
server_settings[option] = server_config.getboolean("DEFAULT",
2891
2845
option)
2892
2846
if server_settings["port"]:
2902
2856
server_settings["socket"] = os.dup(server_settings
2903
2857
["socket"])
2904
2858
del server_config
2905
2859
2906
2860
# Override the settings from the config file with command line
2907
2861
# options, if set.
2908
2862
for option in ("interface", "address", "port", "debug",
2926
2880
if server_settings["debug"]:
2927
2881
server_settings["foreground"] = True
2928
2882
# Now we have our good server settings in "server_settings"
2929
2883
2930
2884
##################################################################
2931
2885
2932
2886
if (not server_settings["zeroconf"]
2933
2887
and not (server_settings["port"]
2934
2888
or server_settings["socket"] != "")):
2935
2889
parser.error("Needs port or socket to work without Zeroconf")
2936
2890
2937
2891
# For convenience
2938
2892
debug = server_settings["debug"]
2939
2893
debuglevel = server_settings["debuglevel"]
2943
2897
stored_state_file)
2944
2898
foreground = server_settings["foreground"]
2945
2899
zeroconf = server_settings["zeroconf"]
2946
2900
2947
2901
if debug:
2948
2902
initlogger(debug, logging.DEBUG)
2949
2903
else:
2952
2906
else:
2953
2907
level = getattr(logging, debuglevel.upper())
2954
2908
initlogger(debug, level)
2955
2909
2956
2910
if server_settings["servicename"] != "Mandos":
2957
2911
syslogger.setFormatter(
2958
2912
logging.Formatter('Mandos ({}) [%(process)d]:'
2959
2913
' %(levelname)s: %(message)s'.format(
2960
2914
server_settings["servicename"])))
2961
2915
2962
2916
# Parse config file with clients
2963
2917
client_config = configparser.SafeConfigParser(Client
2964
2918
.client_defaults)
2965
2919
client_config.read(os.path.join(server_settings["configdir"],
2966
2920
"clients.conf"))
2967
2921
2968
2922
global mandos_dbus_service
2969
2923
mandos_dbus_service = None
2970
2924
2971
2925
socketfd = None
2972
2926
if server_settings["socket"] != "":
2973
2927
socketfd = server_settings["socket"]
2989
2943
except IOError as e:
2990
2944
logger.error("Could not open file %r", pidfilename,
2991
2945
exc_info=e)
2992
2946
2993
2947
for name, group in (("_mandos", "_mandos"),
2994
2948
("mandos", "mandos"),
2995
2949
("nobody", "nogroup")):
3013
2967
.format(uid, gid, os.strerror(error.errno)))
3014
2968
if error.errno != errno.EPERM:
3015
2969
raise
3016
2970
3017
2971
if debug:
3018
2972
# Enable all possible GnuTLS debugging
3019
2973
3020
2974
# "Use a log level over 10 to enable all debugging options."
3021
2975
# - GnuTLS manual
3022
2976
gnutls.global_set_log_level(11)
3023
2977
3024
2978
@gnutls.log_func
3025
2979
def debug_gnutls(level, string):
3026
2980
logger.debug("GnuTLS: %s", string[:-1])
3027
2981
3028
2982
gnutls.global_set_log_function(debug_gnutls)
3029
2983
3030
2984
# Redirect stdin so all checkers get /dev/null
3031
2985
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
3032
2986
os.dup2(null, sys.stdin.fileno())
3033
2987
if null > 2:
3034
2988
os.close(null)
3035
2989
3036
2990
# Need to fork before connecting to D-Bus
3037
2991
if not foreground:
3038
2992
# Close all input and output, do double fork, etc.
3039
2993
daemon()
3040
2994
3041
2995
# multiprocessing will use threads, so before we use GLib we need
3042
2996
# to inform GLib that threads will be used.
3043
2997
GLib.threads_init()
3044
2998
3045
2999
global main_loop
3046
3000
# From the Avahi example code
3047
3001
DBusGMainLoop(set_as_default=True)
3064
3018
if zeroconf:
3065
3019
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3066
3020
service = AvahiServiceToSyslog(
3067
name=server_settings["servicename"],
3068
servicetype="_mandos._tcp",
3069
protocol=protocol,
3070
bus=bus)
3021
name = server_settings["servicename"],
3022
servicetype = "_mandos._tcp",
3023
protocol = protocol,
3024
bus = bus)
3071
3025
if server_settings["interface"]:
3072
3026
service.interface = if_nametoindex(
3073
3027
server_settings["interface"].encode("utf-8"))
3074
3028
3075
3029
global multiprocessing_manager
3076
3030
multiprocessing_manager = multiprocessing.Manager()
3077
3031
3078
3032
client_class = Client
3079
3033
if use_dbus:
3080
client_class = functools.partial(ClientDBus, bus=bus)
3081
3034
client_class = functools.partial(ClientDBus, bus = bus)
3035
3082
3036
client_settings = Client.config_parser(client_config)
3083
3037
old_client_settings = {}
3084
3038
clients_data = {}
3085
3039
3086
3040
# This is used to redirect stdout and stderr for checker processes
3087
3041
global wnull
3088
wnull = open(os.devnull, "w") # A writable /dev/null
3042
wnull = open(os.devnull, "w") # A writable /dev/null
3089
3043
# Only used if server is running in foreground but not in debug
3090
3044
# mode
3091
3045
if debug or not foreground:
3092
3046
wnull.close()
3093
3047
3094
3048
# Get client data and settings from last running state.
3095
3049
if server_settings["restore"]:
3096
3050
try:
3097
3051
with open(stored_state_path, "rb") as stored_state:
3098
if sys.version_info.major == 2:
3052
if sys.version_info.major == 2:
3099
3053
clients_data, old_client_settings = pickle.load(
3100
3054
stored_state)
3101
3055
else:
3102
3056
bytes_clients_data, bytes_old_client_settings = (
3103
pickle.load(stored_state, encoding="bytes"))
3104
# Fix bytes to strings
3105
# clients_data
3057
pickle.load(stored_state, encoding = "bytes"))
3058
### Fix bytes to strings
3059
## clients_data
3106
3060
# .keys()
3107
clients_data = {(key.decode("utf-8")
3108
if isinstance(key, bytes)
3109
else key): value
3110
for key, value in
3111
bytes_clients_data.items()}
3061
clients_data = { (key.decode("utf-8")
3062
if isinstance(key, bytes)
3063
else key): value
3064
for key, value in
3065
bytes_clients_data.items() }
3112
3066
del bytes_clients_data
3113
3067
for key in clients_data:
3114
value = {(k.decode("utf-8")
3115
if isinstance(k, bytes) else k): v
3116
for k, v in
3117
clients_data[key].items()}
3068
value = { (k.decode("utf-8")
3069
if isinstance(k, bytes) else k): v
3070
for k, v in
3071
clients_data[key].items() }
3118
3072
clients_data[key] = value
3119
3073
# .client_structure
3120
3074
value["client_structure"] = [
3121
3075
(s.decode("utf-8")
3122
3076
if isinstance(s, bytes)
3123
3077
else s) for s in
3124
value["client_structure"]]
3078
value["client_structure"] ]
3125
3079
# .name & .host
3126
3080
for k in ("name", "host"):
3127
3081
if isinstance(value[k], bytes):
3128
3082
value[k] = value[k].decode("utf-8")
3129
# old_client_settings
3083
## old_client_settings
3130
3084
# .keys()
3131
3085
old_client_settings = {
3132
3086
(key.decode("utf-8")
3133
3087
if isinstance(key, bytes)
3134
3088
else key): value
3135
3089
for key, value in
3136
bytes_old_client_settings.items()}
3090
bytes_old_client_settings.items() }
3137
3091
del bytes_old_client_settings
3138
3092
# .host
3139
3093
for value in old_client_settings.values():
3153
3107
logger.warning("Could not load persistent state: "
3154
3108
"EOFError:",
3155
3109
exc_info=e)
3156
3110
3157
3111
with PGPEngine() as pgp:
3158
3112
for client_name, client in clients_data.items():
3159
3113
# Skip removed clients
3160
3114
if client_name not in client_settings:
3161
3115
continue
3162
3116
3163
3117
# Decide which value to use after restoring saved state.
3164
3118
# We have three different values: Old config file,
3165
3119
# new config file, and saved state.
3176
3130
client[name] = value
3177
3131
except KeyError:
3178
3132
pass
3179
3133
3180
3134
# Clients who has passed its expire date can still be
3181
3135
# enabled if its last checker was successful. A Client
3182
3136
# whose checker succeeded before we stored its state is
3215
3169
client_name))
3216
3170
client["secret"] = (client_settings[client_name]
3217
3171
["secret"])
3218
3172
3219
3173
# Add/remove clients based on new changes made to config
3220
3174
for client_name in (set(old_client_settings)
3221
3175
- set(client_settings)):
3223
3177
for client_name in (set(client_settings)
3224
3178
- set(old_client_settings)):
3225
3179
clients_data[client_name] = client_settings[client_name]
3226
3180
3227
3181
# Create all client objects
3228
3182
for client_name, client in clients_data.items():
3229
3183
tcp_server.clients[client_name] = client_class(
3230
name=client_name,
3231
settings=client,
3232
server_settings=server_settings)
3233
3184
name = client_name,
3185
settings = client,
3186
server_settings = server_settings)
3187
3234
3188
if not tcp_server.clients:
3235
3189
logger.warning("No clients defined")
3236
3190
3237
3191
if not foreground:
3238
3192
if pidfile is not None:
3239
3193
pid = os.getpid()
3245
3199
pidfilename, pid)
3246
3200
del pidfile
3247
3201
del pidfilename
3248
3202
3249
3203
for termsig in (signal.SIGHUP, signal.SIGTERM):
3250
3204
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3251
3205
lambda: main_loop.quit() and False)
3252
3206
3253
3207
if use_dbus:
3254
3208
3255
3209
@alternate_dbus_interfaces(
3256
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3210
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3257
3211
class MandosDBusService(DBusObjectWithObjectManager):
3258
3212
"""A D-Bus proxy object"""
3259
3213
3260
3214
def __init__(self):
3261
3215
dbus.service.Object.__init__(self, bus, "/")
3262
3216
3263
3217
_interface = "se.recompile.Mandos"
3264
3218
3265
3219
@dbus.service.signal(_interface, signature="o")
3266
3220
def ClientAdded(self, objpath):
3267
3221
"D-Bus signal"
3268
3222
pass
3269
3223
3270
3224
@dbus.service.signal(_interface, signature="ss")
3271
3225
def ClientNotFound(self, fingerprint, address):
3272
3226
"D-Bus signal"
3273
3227
pass
3274
3228
3275
3229
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3276
3230
"true"})
3277
3231
@dbus.service.signal(_interface, signature="os")
3278
3232
def ClientRemoved(self, objpath, name):
3279
3233
"D-Bus signal"
3280
3234
pass
3281
3235
3282
3236
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3283
3237
"true"})
3284
3238
@dbus.service.method(_interface, out_signature="ao")
3286
3240
"D-Bus method"
3287
3241
return dbus.Array(c.dbus_object_path for c in
3288
3242
tcp_server.clients.values())
3289
3243
3290
3244
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3291
3245
"true"})
3292
3246
@dbus.service.method(_interface,
3294
3248
def GetAllClientsWithProperties(self):
3295
3249
"D-Bus method"
3296
3250
return dbus.Dictionary(
3297
{c.dbus_object_path: c.GetAll(
3251
{ c.dbus_object_path: c.GetAll(
3298
3252
"se.recompile.Mandos.Client")
3299
for c in tcp_server.clients.values()},
3253
for c in tcp_server.clients.values() },
3300
3254
signature="oa{sv}")
3301
3255
3302
3256
@dbus.service.method(_interface, in_signature="o")
3303
3257
def RemoveClient(self, object_path):
3304
3258
"D-Bus method"
3312
3266
self.client_removed_signal(c)
3313
3267
return
3314
3268
raise KeyError(object_path)
3315
3269
3316
3270
del _interface
3317
3271
3318
3272
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3319
out_signature="a{oa{sa{sv}}}")
3273
out_signature = "a{oa{sa{sv}}}")
3320
3274
def GetManagedObjects(self):
3321
3275
"""D-Bus method"""
3322
3276
return dbus.Dictionary(
3323
{client.dbus_object_path:
3324
dbus.Dictionary(
3325
{interface: client.GetAll(interface)
3326
for interface in
3327
client._get_all_interface_names()})
3328
for client in tcp_server.clients.values()})
3329
3277
{ client.dbus_object_path:
3278
dbus.Dictionary(
3279
{ interface: client.GetAll(interface)
3280
for interface in
3281
client._get_all_interface_names()})
3282
for client in tcp_server.clients.values()})
3283
3330
3284
def client_added_signal(self, client):
3331
3285
"""Send the new standard signal and the old signal"""
3332
3286
if use_dbus:
3334
3288
self.InterfacesAdded(
3335
3289
client.dbus_object_path,
3336
3290
dbus.Dictionary(
3337
{interface: client.GetAll(interface)
3338
for interface in
3339
client._get_all_interface_names()}))
3291
{ interface: client.GetAll(interface)
3292
for interface in
3293
client._get_all_interface_names()}))
3340
3294
# Old signal
3341
3295
self.ClientAdded(client.dbus_object_path)
3342
3296
3343
3297
def client_removed_signal(self, client):
3344
3298
"""Send the new standard signal and the old signal"""
3345
3299
if use_dbus:
3350
3304
# Old signal
3351
3305
self.ClientRemoved(client.dbus_object_path,
3352
3306
client.name)
3353
3307
3354
3308
mandos_dbus_service = MandosDBusService()
3355
3356
# Save modules to variables to exempt the modules from being
3357
# unloaded before the function registered with atexit() is run.
3358
mp = multiprocessing
3359
wn = wnull
3360
3309
3361
3310
def cleanup():
3362
3311
"Cleanup function; run on exit"
3363
3312
if zeroconf:
3364
3313
service.cleanup()
3365
3366
mp.active_children()
3367
wn.close()
3314
3315
multiprocessing.active_children()
3316
wnull.close()
3368
3317
if not (tcp_server.clients or client_settings):
3369
3318
return
3370
3319
3371
3320
# Store client before exiting. Secrets are encrypted with key
3372
3321
# based on what config file has. If config file is
3373
3322
# removed/edited, old secret will thus be unrecovable.
3378
3327
client.encrypted_secret = pgp.encrypt(client.secret,
3379
3328
key)
3380
3329
client_dict = {}
3381
3330
3382
3331
# A list of attributes that can not be pickled
3383
3332
# + secret.
3384
exclude = {"bus", "changedstate", "secret",
3385
"checker", "server_settings"}
3333
exclude = { "bus", "changedstate", "secret",
3334
"checker", "server_settings" }
3386
3335
for name, typ in inspect.getmembers(dbus.service
3387
3336
.Object):
3388
3337
exclude.add(name)
3389
3338
3390
3339
client_dict["encrypted_secret"] = (client
3391
3340
.encrypted_secret)
3392
3341
for attr in client.client_structure:
3393
3342
if attr not in exclude:
3394
3343
client_dict[attr] = getattr(client, attr)
3395
3344
3396
3345
clients[client.name] = client_dict
3397
3346
del client_settings[client.name]["secret"]
3398
3347
3399
3348
try:
3400
3349
with tempfile.NamedTemporaryFile(
3401
3350
mode='wb',
3404
3353
dir=os.path.dirname(stored_state_path),
3405
3354
delete=False) as stored_state:
3406
3355
pickle.dump((clients, client_settings), stored_state,
3407
protocol=2)
3356
protocol = 2)
3408
3357
tempname = stored_state.name
3409
3358
os.rename(tempname, stored_state_path)
3410
3359
except (IOError, OSError) as e:
3420
3369
logger.warning("Could not save persistent state:",
3421
3370
exc_info=e)
3422
3371
raise
3423
3372
3424
3373
# Delete all clients, and settings from config
3425
3374
while tcp_server.clients:
3426
3375
name, client = tcp_server.clients.popitem()
3432
3381
if use_dbus:
3433
3382
mandos_dbus_service.client_removed_signal(client)
3434
3383
client_settings.clear()
3435
3384
3436
3385
atexit.register(cleanup)
3437
3386
3438
3387
for client in tcp_server.clients.values():
3439
3388
if use_dbus:
3440
3389
# Emit D-Bus signal for adding
3442
3391
# Need to initiate checking of clients
3443
3392
if client.enabled:
3444
3393
client.init_checker()
3445
3394
3446
3395
tcp_server.enable()
3447
3396
tcp_server.server_activate()
3448
3397
3449
3398
# Find out what port we got
3450
3399
if zeroconf:
3451
3400
service.port = tcp_server.socket.getsockname()[1]
3456
3405
else: # IPv4
3457
3406
logger.info("Now listening on address %r, port %d",
3458
3407
*tcp_server.socket.getsockname())
3459
3460
# service.interface = tcp_server.socket.getsockname()[3]
3461
3408
3409
#service.interface = tcp_server.socket.getsockname()[3]
3410
3462
3411
try:
3463
3412
if zeroconf:
3464
3413
# From the Avahi example code
3469
3418
cleanup()
3470
3419
sys.exit(1)
3471
3420
# End of Avahi example code
3472
3421
3473
3422
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3474
3423
lambda *args, **kwargs:
3475
3424
(tcp_server.handle_request
3476
3425
(*args[2:], **kwargs) or True))
3477
3426
3478
3427
logger.debug("Starting main loop")
3479
3428
main_loop.run()
3480
3429
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0