To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 874
- compare with another revision
- download diff
- download tarball
- view history from revision 874
- Committer: Teddy Hogeborn
- Date: 2016-08-25 17:37:05 UTC
- Revision ID: teddy@recompile.se-20160825173705-q2v6lban8ph9uw75
PEP8 compliance: mandos
* mandos: Add PEP8 compliance (as per the "pycodestyle" tool).
* mandos: Add PEP8 compliance (as per the "pycodestyle" tool).
- files added:
- initramfs-tools-hook-conf
- files removed:
- debian/mandos-client.templates
- debian/tests
- dracut-module
- files modified:
- .bzrignore
added
removed
mandos
1
#!/usr/bin/python3 -bI
2
# -*- coding: utf-8; lexical-binding: t -*-
1
#!/usr/bin/python
2
# -*- mode: python; coding: utf-8 -*-
3
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
5
#
11
11
# "AvahiService" class, and some lines in "main".
12
12
#
13
13
# Everything else is
14
# Copyright © 2008-2020 Teddy Hogeborn
15
# Copyright © 2008-2020 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
21
19
# the Free Software Foundation, either version 3 of the License, or
22
20
# (at your option) any later version.
23
21
#
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
26
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
25
# GNU General Public License for more details.
28
26
#
29
27
# You should have received a copy of the GNU General Public License
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
31
30
#
32
31
# Contact the authors at <mandos@recompile.se>.
33
32
#
33
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
39
39
except ImportError:
40
40
pass
41
41
42
import sys
43
import unittest
44
import argparse
45
import logging
46
import os
47
42
try:
48
43
import SocketServer as socketserver
49
44
except ImportError:
50
45
import socketserver
51
46
import socket
47
import argparse
52
48
import datetime
53
49
import errno
54
50
try:
55
51
import ConfigParser as configparser
56
52
except ImportError:
57
53
import configparser
54
import sys
58
55
import re
56
import os
59
57
import signal
60
58
import subprocess
61
59
import atexit
62
60
import stat
61
import logging
63
62
import logging.handlers
64
63
import pwd
65
64
import contextlib
77
76
import itertools
78
77
import collections
79
78
import codecs
80
import random
81
import shlex
82
79
83
80
import dbus
84
81
import dbus.service
85
import gi
86
82
from gi.repository import GLib
87
83
from dbus.mainloop.glib import DBusGMainLoop
88
84
import ctypes
90
86
import xml.dom.minidom
91
87
import inspect
92
88
93
if sys.version_info.major == 2:
94
__metaclass__ = type
95
str = unicode
96
input = raw_input
97
98
# Add collections.abc.Callable if it does not exist
99
try:
100
collections.abc.Callable
101
except AttributeError:
102
class abc:
103
Callable = collections.Callable
104
collections.abc = abc
105
del abc
106
107
# Add shlex.quote if it does not exist
108
try:
109
shlex.quote
110
except AttributeError:
111
shlex.quote = re.escape
112
113
# Show warnings by default
114
if not sys.warnoptions:
115
import warnings
116
warnings.simplefilter("default")
117
118
89
# Try to find the value of SO_BINDTODEVICE:
119
90
try:
120
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
140
111
# No value found
141
112
SO_BINDTODEVICE = None
142
113
143
if sys.version_info < (3, 2):
144
configparser.Configparser = configparser.SafeConfigParser
114
if sys.version_info.major == 2:
115
str = unicode
145
116
146
version = "1.8.14"
117
version = "1.7.10"
147
118
stored_state_file = "clients.pickle"
148
119
149
log = logging.getLogger(os.path.basename(sys.argv[0]))
150
logging.captureWarnings(True) # Show warnings via the logging system
120
logger = logging.getLogger()
151
121
syslogger = None
152
122
153
123
try:
189
159
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
190
160
address="/dev/log"))
191
161
syslogger.setFormatter(logging.Formatter
192
("Mandos [%(process)d]: %(levelname)s:"
193
" %(message)s"))
194
log.addHandler(syslogger)
162
('Mandos [%(process)d]: %(levelname)s:'
163
' %(message)s'))
164
logger.addHandler(syslogger)
195
165
196
166
if debug:
197
167
console = logging.StreamHandler()
198
console.setFormatter(logging.Formatter("%(asctime)s %(name)s"
199
" [%(process)d]:"
200
" %(levelname)s:"
201
" %(message)s"))
202
log.addHandler(console)
203
log.setLevel(level)
168
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
169
' [%(process)d]:'
170
' %(levelname)s:'
171
' %(message)s'))
172
logger.addHandler(console)
173
logger.setLevel(level)
204
174
205
175
206
176
class PGPError(Exception):
208
178
pass
209
179
210
180
211
class PGPEngine:
181
class PGPEngine(object):
212
182
"""A simple class for OpenPGP symmetric encryption & decryption"""
213
183
214
184
def __init__(self):
218
188
output = subprocess.check_output(["gpgconf"])
219
189
for line in output.splitlines():
220
190
name, text, path = line.split(b":")
221
if name == b"gpg":
191
if name == "gpg":
222
192
self.gpg = path
223
193
break
224
194
except OSError as e:
225
195
if e.errno != errno.ENOENT:
226
196
raise
227
self.gnupgargs = ["--batch",
228
"--homedir", self.tempdir,
229
"--force-mdc",
230
"--quiet"]
197
self.gnupgargs = ['--batch',
198
'--homedir', self.tempdir,
199
'--force-mdc',
200
'--quiet']
231
201
# Only GPG version 1 has the --no-use-agent option.
232
if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
233
203
self.gnupgargs.append("--no-use-agent")
234
204
235
205
def __enter__(self):
272
242
dir=self.tempdir) as passfile:
273
243
passfile.write(passphrase)
274
244
passfile.flush()
275
proc = subprocess.Popen([self.gpg, "--symmetric",
276
"--passphrase-file",
245
proc = subprocess.Popen([self.gpg, '--symmetric',
246
'--passphrase-file',
277
247
passfile.name]
278
248
+ self.gnupgargs,
279
249
stdin=subprocess.PIPE,
290
260
dir=self.tempdir) as passfile:
291
261
passfile.write(passphrase)
292
262
passfile.flush()
293
proc = subprocess.Popen([self.gpg, "--decrypt",
294
"--passphrase-file",
263
proc = subprocess.Popen([self.gpg, '--decrypt',
264
'--passphrase-file',
295
265
passfile.name]
296
266
+ self.gnupgargs,
297
267
stdin=subprocess.PIPE,
304
274
305
275
306
276
# Pretend that we have an Avahi module
307
class avahi:
308
"""This isn't so much a class as it is a module-like namespace."""
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
309
280
IF_UNSPEC = -1 # avahi-common/address.h
310
281
PROTO_UNSPEC = -1 # avahi-common/address.h
311
282
PROTO_INET = 0 # avahi-common/address.h
315
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
316
287
DBUS_PATH_SERVER = "/"
317
288
318
@staticmethod
319
def string_array_to_txt_array(t):
289
def string_array_to_txt_array(self, t):
320
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
321
291
for s in t), signature="ay")
322
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
327
297
SERVER_RUNNING = 2 # avahi-common/defs.h
328
298
SERVER_COLLISION = 3 # avahi-common/defs.h
329
299
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
330
301
331
302
332
303
class AvahiError(Exception):
344
315
pass
345
316
346
317
347
class AvahiService:
318
class AvahiService(object):
348
319
"""An Avahi (Zeroconf) service.
349
320
350
321
Attributes:
351
322
interface: integer; avahi.IF_UNSPEC or an interface index.
352
323
Used to optionally bind to the specified interface.
353
name: string; Example: "Mandos"
354
type: string; Example: "_mandos._tcp".
324
name: string; Example: 'Mandos'
325
type: string; Example: '_mandos._tcp'.
355
326
See <https://www.iana.org/assignments/service-names-port-numbers>
356
327
port: integer; what port to announce
357
328
TXT: list of strings; TXT record for the service
394
365
def rename(self, remove=True):
395
366
"""Derived from the Avahi example code"""
396
367
if self.rename_count >= self.max_renames:
397
log.critical("No suitable Zeroconf service name found"
398
" after %i retries, exiting.",
399
self.rename_count)
368
logger.critical("No suitable Zeroconf service name found"
369
" after %i retries, exiting.",
370
self.rename_count)
400
371
raise AvahiServiceError("Too many renames")
401
372
self.name = str(
402
373
self.server.GetAlternativeServiceName(self.name))
403
374
self.rename_count += 1
404
log.info("Changing Zeroconf service name to %r ...",
405
self.name)
375
logger.info("Changing Zeroconf service name to %r ...",
376
self.name)
406
377
if remove:
407
378
self.remove()
408
379
try:
410
381
except dbus.exceptions.DBusException as error:
411
382
if (error.get_dbus_name()
412
383
== "org.freedesktop.Avahi.CollisionError"):
413
log.info("Local Zeroconf service name collision.")
384
logger.info("Local Zeroconf service name collision.")
414
385
return self.rename(remove=False)
415
386
else:
416
log.critical("D-Bus Exception", exc_info=error)
387
logger.critical("D-Bus Exception", exc_info=error)
417
388
self.cleanup()
418
389
os._exit(1)
419
390
435
406
avahi.DBUS_INTERFACE_ENTRY_GROUP)
436
407
self.entry_group_state_changed_match = (
437
408
self.group.connect_to_signal(
438
"StateChanged", self.entry_group_state_changed))
439
log.debug("Adding Zeroconf service '%s' of type '%s' ...",
440
self.name, self.type)
409
'StateChanged', self.entry_group_state_changed))
410
logger.debug("Adding Zeroconf service '%s' of type '%s' ...",
411
self.name, self.type)
441
412
self.group.AddService(
442
413
self.interface,
443
414
self.protocol,
450
421
451
422
def entry_group_state_changed(self, state, error):
452
423
"""Derived from the Avahi example code"""
453
log.debug("Avahi entry group state change: %i", state)
424
logger.debug("Avahi entry group state change: %i", state)
454
425
455
426
if state == avahi.ENTRY_GROUP_ESTABLISHED:
456
log.debug("Zeroconf service established.")
427
logger.debug("Zeroconf service established.")
457
428
elif state == avahi.ENTRY_GROUP_COLLISION:
458
log.info("Zeroconf service name collision.")
429
logger.info("Zeroconf service name collision.")
459
430
self.rename()
460
431
elif state == avahi.ENTRY_GROUP_FAILURE:
461
log.critical("Avahi: Error in group state changed %s",
462
str(error))
432
logger.critical("Avahi: Error in group state changed %s",
433
str(error))
463
434
raise AvahiGroupError("State changed: {!s}".format(error))
464
435
465
436
def cleanup(self):
475
446
476
447
def server_state_changed(self, state, error=None):
477
448
"""Derived from the Avahi example code"""
478
log.debug("Avahi server state change: %i", state)
449
logger.debug("Avahi server state change: %i", state)
479
450
bad_states = {
480
451
avahi.SERVER_INVALID: "Zeroconf server invalid",
481
452
avahi.SERVER_REGISTERING: None,
485
456
if state in bad_states:
486
457
if bad_states[state] is not None:
487
458
if error is None:
488
log.error(bad_states[state])
459
logger.error(bad_states[state])
489
460
else:
490
log.error(bad_states[state] + ": %r", error)
461
logger.error(bad_states[state] + ": %r", error)
491
462
self.cleanup()
492
463
elif state == avahi.SERVER_RUNNING:
493
464
try:
495
466
except dbus.exceptions.DBusException as error:
496
467
if (error.get_dbus_name()
497
468
== "org.freedesktop.Avahi.CollisionError"):
498
log.info("Local Zeroconf service name collision.")
469
logger.info("Local Zeroconf service name"
470
" collision.")
499
471
return self.rename(remove=False)
500
472
else:
501
log.critical("D-Bus Exception", exc_info=error)
473
logger.critical("D-Bus Exception", exc_info=error)
502
474
self.cleanup()
503
475
os._exit(1)
504
476
else:
505
477
if error is None:
506
log.debug("Unknown state: %r", state)
478
logger.debug("Unknown state: %r", state)
507
479
else:
508
log.debug("Unknown state: %r: %r", state, error)
480
logger.debug("Unknown state: %r: %r", state, error)
509
481
510
482
def activate(self):
511
483
"""Derived from the Avahi example code"""
523
495
class AvahiServiceToSyslog(AvahiService):
524
496
def rename(self, *args, **kwargs):
525
497
"""Add the new name to the syslog messages"""
526
ret = super(AvahiServiceToSyslog, self).rename(*args,
527
**kwargs)
498
ret = AvahiService.rename(self, *args, **kwargs)
528
499
syslogger.setFormatter(logging.Formatter(
529
"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
530
501
.format(self.name)))
531
502
return ret
532
503
533
504
534
505
# Pretend that we have a GnuTLS module
535
class gnutls:
536
"""This isn't so much a class as it is a module-like namespace."""
537
538
library = ctypes.util.find_library("gnutls")
539
if library is None:
540
library = ctypes.util.find_library("gnutls-deb0")
541
_library = ctypes.cdll.LoadLibrary(library)
542
del library
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
509
510
_library = ctypes.cdll.LoadLibrary(
511
ctypes.util.find_library("gnutls"))
512
_need_version = b"3.3.0"
513
514
def __init__(self):
515
# Need to use class name "GnuTLS" here, since this method is
516
# called before the assignment to the "gnutls" global variable
517
# happens.
518
if GnuTLS.check_version(self._need_version) is None:
519
raise GnuTLS.Error("Needs GnuTLS {} or later"
520
.format(self._need_version))
543
521
544
522
# Unless otherwise indicated, the constants and types below are
545
523
# all from the gnutls/gnutls.h C header file.
549
527
E_INTERRUPTED = -52
550
528
E_AGAIN = -28
551
529
CRT_OPENPGP = 2
552
CRT_RAWPK = 3
553
530
CLIENT = 2
554
531
SHUT_RDWR = 0
555
532
CRD_CERTIFICATE = 1
556
533
E_NO_CERTIFICATE_FOUND = -49
557
X509_FMT_DER = 0
558
NO_TICKETS = 1<<10
559
ENABLE_RAWPK = 1<<18
560
CTYPE_PEERS = 3
561
KEYID_USE_SHA256 = 1 # gnutls/x509.h
562
534
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
563
535
564
536
# Types
565
class _session_int(ctypes.Structure):
537
class session_int(ctypes.Structure):
566
538
_fields_ = []
567
session_t = ctypes.POINTER(_session_int)
539
session_t = ctypes.POINTER(session_int)
568
540
569
541
class certificate_credentials_st(ctypes.Structure):
570
542
_fields_ = []
573
545
certificate_type_t = ctypes.c_int
574
546
575
547
class datum_t(ctypes.Structure):
576
_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),
577
("size", ctypes.c_uint)]
548
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
549
('size', ctypes.c_uint)]
578
550
579
class _openpgp_crt_int(ctypes.Structure):
551
class openpgp_crt_int(ctypes.Structure):
580
552
_fields_ = []
581
openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)
553
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
582
554
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
583
555
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
584
556
credentials_type_t = ctypes.c_int
587
559
588
560
# Exceptions
589
561
class Error(Exception):
562
# We need to use the class name "GnuTLS" here, since this
563
# exception might be raised from within GnuTLS.__init__,
564
# which is called before the assignment to the "gnutls"
565
# global variable has happened.
590
566
def __init__(self, message=None, code=None, args=()):
591
567
# Default usage is by a message string, but if a return
592
568
# code is passed, convert it to a string with
593
569
# gnutls.strerror()
594
570
self.code = code
595
571
if message is None and code is not None:
596
message = gnutls.strerror(code).decode(
597
"utf-8", errors="replace")
598
return super(gnutls.Error, self).__init__(
572
message = GnuTLS.strerror(code)
573
return super(GnuTLS.Error, self).__init__(
599
574
message, *args)
600
575
601
576
class CertificateSecurityError(Error):
602
577
pass
603
578
604
class PointerTo:
605
def __init__(self, cls):
606
self.cls = cls
607
608
def from_param(self, obj):
609
if not isinstance(obj, self.cls):
610
raise TypeError("Not of type {}: {!r}"
611
.format(self.cls.__name__, obj))
612
return ctypes.byref(obj.from_param(obj))
613
614
class CastToVoidPointer:
615
def __init__(self, cls):
616
self.cls = cls
617
618
def from_param(self, obj):
619
if not isinstance(obj, self.cls):
620
raise TypeError("Not of type {}: {!r}"
621
.format(self.cls.__name__, obj))
622
return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)
623
624
class With_from_param:
625
@classmethod
626
def from_param(cls, obj):
627
return obj._as_parameter_
628
629
579
# Classes
630
class Credentials(With_from_param):
580
class Credentials(object):
631
581
def __init__(self):
632
self._as_parameter_ = gnutls.certificate_credentials_t()
633
gnutls.certificate_allocate_credentials(self)
582
self._c_object = gnutls.certificate_credentials_t()
583
gnutls.certificate_allocate_credentials(
584
ctypes.byref(self._c_object))
634
585
self.type = gnutls.CRD_CERTIFICATE
635
586
636
587
def __del__(self):
637
gnutls.certificate_free_credentials(self)
588
gnutls.certificate_free_credentials(self._c_object)
638
589
639
class ClientSession(With_from_param):
590
class ClientSession(object):
640
591
def __init__(self, socket, credentials=None):
641
self._as_parameter_ = gnutls.session_t()
642
gnutls_flags = gnutls.CLIENT
643
if gnutls.check_version(b"3.5.6"):
644
gnutls_flags |= gnutls.NO_TICKETS
645
if gnutls.has_rawpk:
646
gnutls_flags |= gnutls.ENABLE_RAWPK
647
gnutls.init(self, gnutls_flags)
648
del gnutls_flags
649
gnutls.set_default_priority(self)
650
gnutls.transport_set_ptr(self, socket.fileno())
651
gnutls.handshake_set_private_extensions(self, True)
592
self._c_object = gnutls.session_t()
593
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
594
gnutls.set_default_priority(self._c_object)
595
gnutls.transport_set_ptr(self._c_object, socket.fileno())
596
gnutls.handshake_set_private_extensions(self._c_object,
597
True)
652
598
self.socket = socket
653
599
if credentials is None:
654
600
credentials = gnutls.Credentials()
655
gnutls.credentials_set(self, credentials.type,
656
credentials)
601
gnutls.credentials_set(self._c_object, credentials.type,
602
ctypes.cast(credentials._c_object,
603
ctypes.c_void_p))
657
604
self.credentials = credentials
658
605
659
606
def __del__(self):
660
gnutls.deinit(self)
607
gnutls.deinit(self._c_object)
661
608
662
609
def handshake(self):
663
return gnutls.handshake(self)
610
return gnutls.handshake(self._c_object)
664
611
665
612
def send(self, data):
666
613
data = bytes(data)
667
614
data_len = len(data)
668
615
while data_len > 0:
669
data_len -= gnutls.record_send(self, data[-data_len:],
616
data_len -= gnutls.record_send(self._c_object,
617
data[-data_len:],
670
618
data_len)
671
619
672
620
def bye(self):
673
return gnutls.bye(self, gnutls.SHUT_RDWR)
621
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
674
622
675
623
# Error handling functions
676
624
def _error_code(result):
677
625
"""A function to raise exceptions on errors, suitable
678
for the "restype" attribute on ctypes functions"""
679
if result >= gnutls.E_SUCCESS:
626
for the 'restype' attribute on ctypes functions"""
627
if result >= 0:
680
628
return result
681
629
if result == gnutls.E_NO_CERTIFICATE_FOUND:
682
630
raise gnutls.CertificateSecurityError(code=result)
683
631
raise gnutls.Error(code=result)
684
632
685
def _retry_on_error(result, func, arguments,
686
_error_code=_error_code):
633
def _retry_on_error(result, func, arguments):
687
634
"""A function to retry on some errors, suitable
688
for the "errcheck" attribute on ctypes functions"""
689
while result < gnutls.E_SUCCESS:
635
for the 'errcheck' attribute on ctypes functions"""
636
while result < 0:
690
637
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
691
638
return _error_code(result)
692
639
result = func(*arguments)
697
644
698
645
# Functions
699
646
priority_set_direct = _library.gnutls_priority_set_direct
700
priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,
647
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
701
648
ctypes.POINTER(ctypes.c_char_p)]
702
649
priority_set_direct.restype = _error_code
703
650
704
651
init = _library.gnutls_init
705
init.argtypes = [PointerTo(ClientSession), ctypes.c_int]
652
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
706
653
init.restype = _error_code
707
654
708
655
set_default_priority = _library.gnutls_set_default_priority
709
set_default_priority.argtypes = [ClientSession]
656
set_default_priority.argtypes = [session_t]
710
657
set_default_priority.restype = _error_code
711
658
712
659
record_send = _library.gnutls_record_send
713
record_send.argtypes = [ClientSession, ctypes.c_void_p,
660
record_send.argtypes = [session_t, ctypes.c_void_p,
714
661
ctypes.c_size_t]
715
662
record_send.restype = ctypes.c_ssize_t
716
663
record_send.errcheck = _retry_on_error
718
665
certificate_allocate_credentials = (
719
666
_library.gnutls_certificate_allocate_credentials)
720
667
certificate_allocate_credentials.argtypes = [
721
PointerTo(Credentials)]
668
ctypes.POINTER(certificate_credentials_t)]
722
669
certificate_allocate_credentials.restype = _error_code
723
670
724
671
certificate_free_credentials = (
725
672
_library.gnutls_certificate_free_credentials)
726
certificate_free_credentials.argtypes = [Credentials]
673
certificate_free_credentials.argtypes = [
674
certificate_credentials_t]
727
675
certificate_free_credentials.restype = None
728
676
729
677
handshake_set_private_extensions = (
730
678
_library.gnutls_handshake_set_private_extensions)
731
handshake_set_private_extensions.argtypes = [ClientSession,
679
handshake_set_private_extensions.argtypes = [session_t,
732
680
ctypes.c_int]
733
681
handshake_set_private_extensions.restype = None
734
682
735
683
credentials_set = _library.gnutls_credentials_set
736
credentials_set.argtypes = [ClientSession, credentials_type_t,
737
CastToVoidPointer(Credentials)]
684
credentials_set.argtypes = [session_t, credentials_type_t,
685
ctypes.c_void_p]
738
686
credentials_set.restype = _error_code
739
687
740
688
strerror = _library.gnutls_strerror
742
690
strerror.restype = ctypes.c_char_p
743
691
744
692
certificate_type_get = _library.gnutls_certificate_type_get
745
certificate_type_get.argtypes = [ClientSession]
693
certificate_type_get.argtypes = [session_t]
746
694
certificate_type_get.restype = _error_code
747
695
748
696
certificate_get_peers = _library.gnutls_certificate_get_peers
749
certificate_get_peers.argtypes = [ClientSession,
697
certificate_get_peers.argtypes = [session_t,
750
698
ctypes.POINTER(ctypes.c_uint)]
751
699
certificate_get_peers.restype = ctypes.POINTER(datum_t)
752
700
759
707
global_set_log_function.restype = None
760
708
761
709
deinit = _library.gnutls_deinit
762
deinit.argtypes = [ClientSession]
710
deinit.argtypes = [session_t]
763
711
deinit.restype = None
764
712
765
713
handshake = _library.gnutls_handshake
766
handshake.argtypes = [ClientSession]
767
handshake.restype = ctypes.c_int
714
handshake.argtypes = [session_t]
715
handshake.restype = _error_code
768
716
handshake.errcheck = _retry_on_error
769
717
770
718
transport_set_ptr = _library.gnutls_transport_set_ptr
771
transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]
719
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
772
720
transport_set_ptr.restype = None
773
721
774
722
bye = _library.gnutls_bye
775
bye.argtypes = [ClientSession, close_request_t]
776
bye.restype = ctypes.c_int
723
bye.argtypes = [session_t, close_request_t]
724
bye.restype = _error_code
777
725
bye.errcheck = _retry_on_error
778
726
779
727
check_version = _library.gnutls_check_version
780
728
check_version.argtypes = [ctypes.c_char_p]
781
729
check_version.restype = ctypes.c_char_p
782
730
783
_need_version = b"3.3.0"
784
if check_version(_need_version) is None:
785
raise self.Error("Needs GnuTLS {} or later"
786
.format(_need_version))
787
788
_tls_rawpk_version = b"3.6.6"
789
has_rawpk = bool(check_version(_tls_rawpk_version))
790
791
if has_rawpk:
792
# Types
793
class pubkey_st(ctypes.Structure):
794
_fields = []
795
pubkey_t = ctypes.POINTER(pubkey_st)
796
797
x509_crt_fmt_t = ctypes.c_int
798
799
# All the function declarations below are from
800
# gnutls/abstract.h
801
pubkey_init = _library.gnutls_pubkey_init
802
pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]
803
pubkey_init.restype = _error_code
804
805
pubkey_import = _library.gnutls_pubkey_import
806
pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),
807
x509_crt_fmt_t]
808
pubkey_import.restype = _error_code
809
810
pubkey_get_key_id = _library.gnutls_pubkey_get_key_id
811
pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,
812
ctypes.POINTER(ctypes.c_ubyte),
813
ctypes.POINTER(ctypes.c_size_t)]
814
pubkey_get_key_id.restype = _error_code
815
816
pubkey_deinit = _library.gnutls_pubkey_deinit
817
pubkey_deinit.argtypes = [pubkey_t]
818
pubkey_deinit.restype = None
819
else:
820
# All the function declarations below are from
821
# gnutls/openpgp.h
822
823
openpgp_crt_init = _library.gnutls_openpgp_crt_init
824
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
825
openpgp_crt_init.restype = _error_code
826
827
openpgp_crt_import = _library.gnutls_openpgp_crt_import
828
openpgp_crt_import.argtypes = [openpgp_crt_t,
829
ctypes.POINTER(datum_t),
830
openpgp_crt_fmt_t]
831
openpgp_crt_import.restype = _error_code
832
833
openpgp_crt_verify_self = \
834
_library.gnutls_openpgp_crt_verify_self
835
openpgp_crt_verify_self.argtypes = [
836
openpgp_crt_t,
837
ctypes.c_uint,
838
ctypes.POINTER(ctypes.c_uint),
839
]
840
openpgp_crt_verify_self.restype = _error_code
841
842
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
843
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
844
openpgp_crt_deinit.restype = None
845
846
openpgp_crt_get_fingerprint = (
847
_library.gnutls_openpgp_crt_get_fingerprint)
848
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
849
ctypes.c_void_p,
850
ctypes.POINTER(
851
ctypes.c_size_t)]
852
openpgp_crt_get_fingerprint.restype = _error_code
853
854
if check_version(b"3.6.4"):
855
certificate_type_get2 = _library.gnutls_certificate_type_get2
856
certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]
857
certificate_type_get2.restype = _error_code
731
# All the function declarations below are from gnutls/openpgp.h
732
733
openpgp_crt_init = _library.gnutls_openpgp_crt_init
734
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
735
openpgp_crt_init.restype = _error_code
736
737
openpgp_crt_import = _library.gnutls_openpgp_crt_import
738
openpgp_crt_import.argtypes = [openpgp_crt_t,
739
ctypes.POINTER(datum_t),
740
openpgp_crt_fmt_t]
741
openpgp_crt_import.restype = _error_code
742
743
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
744
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
745
ctypes.POINTER(ctypes.c_uint)]
746
openpgp_crt_verify_self.restype = _error_code
747
748
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
749
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
750
openpgp_crt_deinit.restype = None
751
752
openpgp_crt_get_fingerprint = (
753
_library.gnutls_openpgp_crt_get_fingerprint)
754
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
755
ctypes.c_void_p,
756
ctypes.POINTER(
757
ctypes.c_size_t)]
758
openpgp_crt_get_fingerprint.restype = _error_code
858
759
859
760
# Remove non-public functions
860
761
del _error_code, _retry_on_error
762
# Create the global "gnutls" object, simulating a module
763
gnutls = GnuTLS()
861
764
862
765
863
766
def call_pipe(connection, # : multiprocessing.Connection
871
774
connection.close()
872
775
873
776
874
class Client:
777
class Client(object):
875
778
"""A representation of a client host served by this server.
876
779
877
780
Attributes:
878
approved: bool(); None if not yet approved/disapproved
781
approved: bool(); 'None' if not yet approved/disapproved
879
782
approval_delay: datetime.timedelta(); Time to wait for approval
880
783
approval_duration: datetime.timedelta(); Duration of one approval
881
checker: multiprocessing.Process(); a running checker process used
882
to see if the client lives. None if no process is
883
running.
784
checker: subprocess.Popen(); a running checker process used
785
to see if the client lives.
786
'None' if no process is running.
884
787
checker_callback_tag: a GLib event source tag, or None
885
788
checker_command: string; External command which is run to check
886
789
if client lives. %() expansions are done at
894
797
disable_initiator_tag: a GLib event source tag, or None
895
798
enabled: bool()
896
799
fingerprint: string (40 or 32 hexadecimal digits); used to
897
uniquely identify an OpenPGP client
898
key_id: string (64 hexadecimal digits); used to uniquely identify
899
a client using raw public keys
800
uniquely identify the client
900
801
host: string; available for use by the checker command
901
802
interval: datetime.timedelta(); How often to start a new checker
902
803
last_approval_request: datetime.datetime(); (UTC) or None
920
821
"""
921
822
922
823
runtime_expansions = ("approval_delay", "approval_duration",
923
"created", "enabled", "expires", "key_id",
824
"created", "enabled", "expires",
924
825
"fingerprint", "host", "interval",
925
826
"last_approval_request", "last_checked_ok",
926
827
"last_enabled", "name", "timeout")
956
857
client["enabled"] = config.getboolean(client_name,
957
858
"enabled")
958
859
959
# Uppercase and remove spaces from key_id and fingerprint
960
# for later comparison purposes with return value from the
961
# key_id() and fingerprint() functions
962
client["key_id"] = (section.get("key_id", "").upper()
963
.replace(" ", ""))
860
# Uppercase and remove spaces from fingerprint for later
861
# comparison purposes with return value from the
862
# fingerprint() function
964
863
client["fingerprint"] = (section["fingerprint"].upper()
965
864
.replace(" ", ""))
966
865
if "secret" in section:
1009
908
self.last_enabled = None
1010
909
self.expires = None
1011
910
1012
log.debug("Creating client %r", self.name)
1013
log.debug(" Key ID: %s", self.key_id)
1014
log.debug(" Fingerprint: %s", self.fingerprint)
911
logger.debug("Creating client %r", self.name)
912
logger.debug(" Fingerprint: %s", self.fingerprint)
1015
913
self.created = settings.get("created",
1016
914
datetime.datetime.utcnow())
1017
915
1056
954
if not getattr(self, "enabled", False):
1057
955
return False
1058
956
if not quiet:
1059
log.info("Disabling client %s", self.name)
957
logger.info("Disabling client %s", self.name)
1060
958
if getattr(self, "disable_initiator_tag", None) is not None:
1061
959
GLib.source_remove(self.disable_initiator_tag)
1062
960
self.disable_initiator_tag = None
1080
978
if self.checker_initiator_tag is not None:
1081
979
GLib.source_remove(self.checker_initiator_tag)
1082
980
self.checker_initiator_tag = GLib.timeout_add(
1083
random.randrange(int(self.interval.total_seconds() * 1000
1084
+ 1)),
981
int(self.interval.total_seconds() * 1000),
1085
982
self.start_checker)
1086
983
# Schedule a disable() when 'timeout' has passed
1087
984
if self.disable_initiator_tag is not None:
1094
991
def checker_callback(self, source, condition, connection,
1095
992
command):
1096
993
"""The checker has completed, so take appropriate actions."""
994
self.checker_callback_tag = None
995
self.checker = None
1097
996
# Read return code from connection (see call_pipe)
1098
997
returncode = connection.recv()
1099
998
connection.close()
1100
if self.checker is not None:
1101
self.checker.join()
1102
self.checker_callback_tag = None
1103
self.checker = None
1104
999
1105
1000
if returncode >= 0:
1106
1001
self.last_checker_status = returncode
1107
1002
self.last_checker_signal = None
1108
1003
if self.last_checker_status == 0:
1109
log.info("Checker for %(name)s succeeded", vars(self))
1004
logger.info("Checker for %(name)s succeeded",
1005
vars(self))
1110
1006
self.checked_ok()
1111
1007
else:
1112
log.info("Checker for %(name)s failed", vars(self))
1008
logger.info("Checker for %(name)s failed", vars(self))
1113
1009
else:
1114
1010
self.last_checker_status = -1
1115
1011
self.last_checker_signal = -returncode
1116
log.warning("Checker for %(name)s crashed?", vars(self))
1012
logger.warning("Checker for %(name)s crashed?",
1013
vars(self))
1117
1014
return False
1118
1015
1119
1016
def checked_ok(self):
1153
1050
# should be.
1154
1051
1155
1052
if self.checker is not None and not self.checker.is_alive():
1156
log.warning("Checker was not alive; joining")
1053
logger.warning("Checker was not alive; joining")
1157
1054
self.checker.join()
1158
1055
self.checker = None
1159
1056
# Start a new checker if needed
1160
1057
if self.checker is None:
1161
1058
# Escape attributes for the shell
1162
1059
escaped_attrs = {
1163
attr: shlex.quote(str(getattr(self, attr)))
1060
attr: re.escape(str(getattr(self, attr)))
1164
1061
for attr in self.runtime_expansions}
1165
1062
try:
1166
1063
command = self.checker_command % escaped_attrs
1167
1064
except TypeError as error:
1168
log.error('Could not format string "%s"',
1169
self.checker_command, exc_info=error)
1065
logger.error('Could not format string "%s"',
1066
self.checker_command,
1067
exc_info=error)
1170
1068
return True # Try again later
1171
1069
self.current_checker_command = command
1172
log.info("Starting checker %r for %s", command, self.name)
1070
logger.info("Starting checker %r for %s", command,
1071
self.name)
1173
1072
# We don't need to redirect stdout and stderr, since
1174
1073
# in normal mode, that is already done by daemon(),
1175
1074
# and in debug mode we don't want to. (Stdin is
1191
1090
kwargs=popen_args)
1192
1091
self.checker.start()
1193
1092
self.checker_callback_tag = GLib.io_add_watch(
1194
GLib.IOChannel.unix_new(pipe[0].fileno()),
1195
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
1093
pipe[0].fileno(), GLib.IO_IN,
1196
1094
self.checker_callback, pipe[0], command)
1197
1095
# Re-run this periodically if run by GLib.timeout_add
1198
1096
return True
1204
1102
self.checker_callback_tag = None
1205
1103
if getattr(self, "checker", None) is None:
1206
1104
return
1207
log.debug("Stopping checker for %(name)s", vars(self))
1105
logger.debug("Stopping checker for %(name)s", vars(self))
1208
1106
self.checker.terminate()
1209
1107
self.checker = None
1210
1108
1237
1135
func._dbus_name = func.__name__
1238
1136
if func._dbus_name.endswith("_dbus_property"):
1239
1137
func._dbus_name = func._dbus_name[:-14]
1240
func._dbus_get_args_options = {"byte_arrays": byte_arrays}
1138
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
1241
1139
return func
1242
1140
1243
1141
return decorator
1332
1230
1333
1231
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1334
1232
out_signature="s",
1335
path_keyword="object_path",
1336
connection_keyword="connection")
1233
path_keyword='object_path',
1234
connection_keyword='connection')
1337
1235
def Introspect(self, object_path, connection):
1338
1236
"""Overloading of standard D-Bus method.
1339
1237
1388
1286
document.unlink()
1389
1287
except (AttributeError, xml.dom.DOMException,
1390
1288
xml.parsers.expat.ExpatError) as error:
1391
log.error("Failed to override Introspection method",
1392
exc_info=error)
1289
logger.error("Failed to override Introspection method",
1290
exc_info=error)
1393
1291
return xmlstring
1394
1292
1395
1293
1453
1351
raise ValueError("Byte arrays not supported for non-"
1454
1352
"'ay' signature {!r}"
1455
1353
.format(prop._dbus_signature))
1456
value = dbus.ByteArray(bytes(value))
1354
value = dbus.ByteArray(b''.join(chr(byte)
1355
for byte in value))
1457
1356
prop(value)
1458
1357
1459
1358
@dbus.service.method(dbus.PROPERTIES_IFACE,
1492
1391
1493
1392
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1494
1393
out_signature="s",
1495
path_keyword="object_path",
1496
connection_keyword="connection")
1394
path_keyword='object_path',
1395
connection_keyword='connection')
1497
1396
def Introspect(self, object_path, connection):
1498
1397
"""Overloading of standard D-Bus method.
1499
1398
1555
1454
document.unlink()
1556
1455
except (AttributeError, xml.dom.DOMException,
1557
1456
xml.parsers.expat.ExpatError) as error:
1558
log.error("Failed to override Introspection method",
1559
exc_info=error)
1457
logger.error("Failed to override Introspection method",
1458
exc_info=error)
1560
1459
return xmlstring
1561
1460
1562
1563
1461
try:
1564
1462
dbus.OBJECT_MANAGER_IFACE
1565
1463
except AttributeError:
1594
1492
1595
1493
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1596
1494
out_signature="s",
1597
path_keyword="object_path",
1598
connection_keyword="connection")
1495
path_keyword='object_path',
1496
connection_keyword='connection')
1599
1497
def Introspect(self, object_path, connection):
1600
1498
"""Overloading of standard D-Bus method.
1601
1499
1626
1524
document.unlink()
1627
1525
except (AttributeError, xml.dom.DOMException,
1628
1526
xml.parsers.expat.ExpatError) as error:
1629
log.error("Failed to override Introspection method",
1630
exc_info=error)
1527
logger.error("Failed to override Introspection method",
1528
exc_info=error)
1631
1529
return xmlstring
1632
1530
1633
1531
2097
1995
def Name_dbus_property(self):
2098
1996
return dbus.String(self.name)
2099
1997
2100
# KeyID - property
2101
@dbus_annotations(
2102
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2103
@dbus_service_property(_interface, signature="s", access="read")
2104
def KeyID_dbus_property(self):
2105
return dbus.String(self.key_id)
2106
2107
1998
# Fingerprint - property
2108
1999
@dbus_annotations(
2109
2000
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
2264
2155
del _interface
2265
2156
2266
2157
2267
class ProxyClient:
2268
def __init__(self, child_pipe, key_id, fpr, address):
2158
class ProxyClient(object):
2159
def __init__(self, child_pipe, fpr, address):
2269
2160
self._pipe = child_pipe
2270
self._pipe.send(("init", key_id, fpr, address))
2161
self._pipe.send(('init', fpr, address))
2271
2162
if not self._pipe.recv():
2272
raise KeyError(key_id or fpr)
2163
raise KeyError(fpr)
2273
2164
2274
2165
def __getattribute__(self, name):
2275
if name == "_pipe":
2166
if name == '_pipe':
2276
2167
return super(ProxyClient, self).__getattribute__(name)
2277
self._pipe.send(("getattr", name))
2168
self._pipe.send(('getattr', name))
2278
2169
data = self._pipe.recv()
2279
if data[0] == "data":
2170
if data[0] == 'data':
2280
2171
return data[1]
2281
if data[0] == "function":
2172
if data[0] == 'function':
2282
2173
2283
2174
def func(*args, **kwargs):
2284
self._pipe.send(("funcall", name, args, kwargs))
2175
self._pipe.send(('funcall', name, args, kwargs))
2285
2176
return self._pipe.recv()[1]
2286
2177
2287
2178
return func
2288
2179
2289
2180
def __setattr__(self, name, value):
2290
if name == "_pipe":
2181
if name == '_pipe':
2291
2182
return super(ProxyClient, self).__setattr__(name, value)
2292
self._pipe.send(("setattr", name, value))
2183
self._pipe.send(('setattr', name, value))
2293
2184
2294
2185
2295
2186
class ClientHandler(socketserver.BaseRequestHandler, object):
2300
2191
2301
2192
def handle(self):
2302
2193
with contextlib.closing(self.server.child_pipe) as child_pipe:
2303
log.info("TCP connection from: %s",
2304
str(self.client_address))
2305
log.debug("Pipe FD: %d", self.server.child_pipe.fileno())
2194
logger.info("TCP connection from: %s",
2195
str(self.client_address))
2196
logger.debug("Pipe FD: %d",
2197
self.server.child_pipe.fileno())
2306
2198
2307
2199
session = gnutls.ClientSession(self.request)
2308
2200
2309
# priority = ":".join(("NONE", "+VERS-TLS1.1",
2201
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2310
2202
# "+AES-256-CBC", "+SHA1",
2311
2203
# "+COMP-NULL", "+CTYPE-OPENPGP",
2312
2204
# "+DHE-DSS"))
2314
2206
priority = self.server.gnutls_priority
2315
2207
if priority is None:
2316
2208
priority = "NORMAL"
2317
gnutls.priority_set_direct(session,
2318
priority.encode("utf-8"), None)
2209
gnutls.priority_set_direct(session._c_object,
2210
priority.encode("utf-8"),
2211
None)
2319
2212
2320
2213
# Start communication using the Mandos protocol
2321
2214
# Get protocol number
2322
2215
line = self.request.makefile().readline()
2323
log.debug("Protocol version: %r", line)
2216
logger.debug("Protocol version: %r", line)
2324
2217
try:
2325
2218
if int(line.strip().split()[0]) > 1:
2326
2219
raise RuntimeError(line)
2327
2220
except (ValueError, IndexError, RuntimeError) as error:
2328
log.error("Unknown protocol version: %s", error)
2221
logger.error("Unknown protocol version: %s", error)
2329
2222
return
2330
2223
2331
2224
# Start GnuTLS connection
2332
2225
try:
2333
2226
session.handshake()
2334
2227
except gnutls.Error as error:
2335
log.warning("Handshake failed: %s", error)
2228
logger.warning("Handshake failed: %s", error)
2336
2229
# Do not run session.bye() here: the session is not
2337
2230
# established. Just abandon the request.
2338
2231
return
2339
log.debug("Handshake succeeded")
2232
logger.debug("Handshake succeeded")
2340
2233
2341
2234
approval_required = False
2342
2235
try:
2343
if gnutls.has_rawpk:
2344
fpr = b""
2345
try:
2346
key_id = self.key_id(
2347
self.peer_certificate(session))
2348
except (TypeError, gnutls.Error) as error:
2349
log.warning("Bad certificate: %s", error)
2350
return
2351
log.debug("Key ID: %s",
2352
key_id.decode("utf-8",
2353
errors="replace"))
2354
2355
else:
2356
key_id = b""
2357
try:
2358
fpr = self.fingerprint(
2359
self.peer_certificate(session))
2360
except (TypeError, gnutls.Error) as error:
2361
log.warning("Bad certificate: %s", error)
2362
return
2363
log.debug("Fingerprint: %s", fpr)
2364
2365
try:
2366
client = ProxyClient(child_pipe, key_id, fpr,
2236
try:
2237
fpr = self.fingerprint(
2238
self.peer_certificate(session))
2239
except (TypeError, gnutls.Error) as error:
2240
logger.warning("Bad certificate: %s", error)
2241
return
2242
logger.debug("Fingerprint: %s", fpr)
2243
2244
try:
2245
client = ProxyClient(child_pipe, fpr,
2367
2246
self.client_address)
2368
2247
except KeyError:
2369
2248
return
2375
2254
2376
2255
while True:
2377
2256
if not client.enabled:
2378
log.info("Client %s is disabled", client.name)
2257
logger.info("Client %s is disabled",
2258
client.name)
2379
2259
if self.server.use_dbus:
2380
2260
# Emit D-Bus signal
2381
2261
client.Rejected("Disabled")
2385
2265
# We are approved or approval is disabled
2386
2266
break
2387
2267
elif client.approved is None:
2388
log.info("Client %s needs approval",
2389
client.name)
2268
logger.info("Client %s needs approval",
2269
client.name)
2390
2270
if self.server.use_dbus:
2391
2271
# Emit D-Bus signal
2392
2272
client.NeedApproval(
2393
2273
client.approval_delay.total_seconds()
2394
2274
* 1000, client.approved_by_default)
2395
2275
else:
2396
log.warning("Client %s was not approved",
2397
client.name)
2276
logger.warning("Client %s was not approved",
2277
client.name)
2398
2278
if self.server.use_dbus:
2399
2279
# Emit D-Bus signal
2400
2280
client.Rejected("Denied")
2408
2288
time2 = datetime.datetime.now()
2409
2289
if (time2 - time) >= delay:
2410
2290
if not client.approved_by_default:
2411
log.warning("Client %s timed out while"
2412
" waiting for approval",
2413
client.name)
2291
logger.warning("Client %s timed out while"
2292
" waiting for approval",
2293
client.name)
2414
2294
if self.server.use_dbus:
2415
2295
# Emit D-Bus signal
2416
2296
client.Rejected("Approval timed out")
2423
2303
try:
2424
2304
session.send(client.secret)
2425
2305
except gnutls.Error as error:
2426
log.warning("gnutls send failed", exc_info=error)
2306
logger.warning("gnutls send failed",
2307
exc_info=error)
2427
2308
return
2428
2309
2429
log.info("Sending secret to %s", client.name)
2310
logger.info("Sending secret to %s", client.name)
2430
2311
# bump the timeout using extended_timeout
2431
2312
client.bump_timeout(client.extended_timeout)
2432
2313
if self.server.use_dbus:
2439
2320
try:
2440
2321
session.bye()
2441
2322
except gnutls.Error as error:
2442
log.warning("GnuTLS bye failed", exc_info=error)
2323
logger.warning("GnuTLS bye failed",
2324
exc_info=error)
2443
2325
2444
2326
@staticmethod
2445
2327
def peer_certificate(session):
2446
"Return the peer's certificate as a bytestring"
2447
try:
2448
cert_type = gnutls.certificate_type_get2(
2449
session, gnutls.CTYPE_PEERS)
2450
except AttributeError:
2451
cert_type = gnutls.certificate_type_get(session)
2452
if gnutls.has_rawpk:
2453
valid_cert_types = frozenset((gnutls.CRT_RAWPK,))
2454
else:
2455
valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))
2456
# If not a valid certificate type...
2457
if cert_type not in valid_cert_types:
2458
log.info("Cert type %r not in %r", cert_type,
2459
valid_cert_types)
2328
"Return the peer's OpenPGP certificate as a bytestring"
2329
# If not an OpenPGP certificate...
2330
if (gnutls.certificate_type_get(session._c_object)
2331
!= gnutls.CRT_OPENPGP):
2460
2332
# ...return invalid data
2461
2333
return b""
2462
2334
list_size = ctypes.c_uint(1)
2463
2335
cert_list = (gnutls.certificate_get_peers
2464
(session, ctypes.byref(list_size)))
2336
(session._c_object, ctypes.byref(list_size)))
2465
2337
if not bool(cert_list) and list_size.value != 0:
2466
2338
raise gnutls.Error("error getting peer certificate")
2467
2339
if list_size.value == 0:
2470
2342
return ctypes.string_at(cert.data, cert.size)
2471
2343
2472
2344
@staticmethod
2473
def key_id(certificate):
2474
"Convert a certificate bytestring to a hexdigit key ID"
2475
# New GnuTLS "datum" with the public key
2476
datum = gnutls.datum_t(
2477
ctypes.cast(ctypes.c_char_p(certificate),
2478
ctypes.POINTER(ctypes.c_ubyte)),
2479
ctypes.c_uint(len(certificate)))
2480
# XXX all these need to be created in the gnutls "module"
2481
# New empty GnuTLS certificate
2482
pubkey = gnutls.pubkey_t()
2483
gnutls.pubkey_init(ctypes.byref(pubkey))
2484
# Import the raw public key into the certificate
2485
gnutls.pubkey_import(pubkey,
2486
ctypes.byref(datum),
2487
gnutls.X509_FMT_DER)
2488
# New buffer for the key ID
2489
buf = ctypes.create_string_buffer(32)
2490
buf_len = ctypes.c_size_t(len(buf))
2491
# Get the key ID from the raw public key into the buffer
2492
gnutls.pubkey_get_key_id(
2493
pubkey,
2494
gnutls.KEYID_USE_SHA256,
2495
ctypes.cast(ctypes.byref(buf),
2496
ctypes.POINTER(ctypes.c_ubyte)),
2497
ctypes.byref(buf_len))
2498
# Deinit the certificate
2499
gnutls.pubkey_deinit(pubkey)
2500
2501
# Convert the buffer to a Python bytestring
2502
key_id = ctypes.string_at(buf, buf_len.value)
2503
# Convert the bytestring to hexadecimal notation
2504
hex_key_id = binascii.hexlify(key_id).upper()
2505
return hex_key_id
2506
2507
@staticmethod
2508
2345
def fingerprint(openpgp):
2509
2346
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2510
2347
# New GnuTLS "datum" with the OpenPGP public key
2524
2361
ctypes.byref(crtverify))
2525
2362
if crtverify.value != 0:
2526
2363
gnutls.openpgp_crt_deinit(crt)
2527
raise gnutls.CertificateSecurityError(code
2528
=crtverify.value)
2364
raise gnutls.CertificateSecurityError("Verify failed")
2529
2365
# New buffer for the fingerprint
2530
2366
buf = ctypes.create_string_buffer(20)
2531
2367
buf_len = ctypes.c_size_t()
2541
2377
return hex_fpr
2542
2378
2543
2379
2544
class MultiprocessingMixIn:
2380
class MultiprocessingMixIn(object):
2545
2381
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2546
2382
2547
2383
def sub_process_main(self, request, address):
2559
2395
return proc
2560
2396
2561
2397
2562
class MultiprocessingMixInWithPipe(MultiprocessingMixIn):
2398
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2563
2399
""" adds a pipe to the MixIn """
2564
2400
2565
2401
def process_request(self, request, client_address):
2580
2416
2581
2417
2582
2418
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2583
socketserver.TCPServer):
2584
"""IPv6-capable TCP server. Accepts None as address and/or port
2419
socketserver.TCPServer, object):
2420
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2585
2421
2586
2422
Attributes:
2587
2423
enabled: Boolean; whether this server is activated yet
2638
2474
if SO_BINDTODEVICE is None:
2639
2475
# Fall back to a hard-coded value which seems to be
2640
2476
# common enough.
2641
log.warning("SO_BINDTODEVICE not found, trying 25")
2477
logger.warning("SO_BINDTODEVICE not found, trying 25")
2642
2478
SO_BINDTODEVICE = 25
2643
2479
try:
2644
2480
self.socket.setsockopt(
2646
2482
(self.interface + "\0").encode("utf-8"))
2647
2483
except socket.error as error:
2648
2484
if error.errno == errno.EPERM:
2649
log.error("No permission to bind to interface %s",
2650
self.interface)
2485
logger.error("No permission to bind to"
2486
" interface %s", self.interface)
2651
2487
elif error.errno == errno.ENOPROTOOPT:
2652
log.error("SO_BINDTODEVICE not available; cannot"
2653
" bind to interface %s", self.interface)
2488
logger.error("SO_BINDTODEVICE not available;"
2489
" cannot bind to interface %s",
2490
self.interface)
2654
2491
elif error.errno == errno.ENODEV:
2655
log.error("Interface %s does not exist, cannot"
2656
" bind", self.interface)
2492
logger.error("Interface %s does not exist,"
2493
" cannot bind", self.interface)
2657
2494
else:
2658
2495
raise
2659
2496
# Only bind(2) the socket if we really need to.
2660
2497
if self.server_address[0] or self.server_address[1]:
2661
if self.server_address[1]:
2662
self.allow_reuse_address = True
2663
2498
if not self.server_address[0]:
2664
2499
if self.address_family == socket.AF_INET6:
2665
2500
any_address = "::" # in6addr_any
2718
2553
def add_pipe(self, parent_pipe, proc):
2719
2554
# Call "handle_ipc" for both data and EOF events
2720
2555
GLib.io_add_watch(
2721
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2722
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2556
parent_pipe.fileno(),
2557
GLib.IO_IN | GLib.IO_HUP,
2723
2558
functools.partial(self.handle_ipc,
2724
2559
parent_pipe=parent_pipe,
2725
2560
proc=proc))
2738
2573
request = parent_pipe.recv()
2739
2574
command = request[0]
2740
2575
2741
if command == "init":
2742
key_id = request[1].decode("ascii")
2743
fpr = request[2].decode("ascii")
2744
address = request[3]
2576
if command == 'init':
2577
fpr = request[1]
2578
address = request[2]
2745
2579
2746
2580
for c in self.clients.values():
2747
if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"
2748
"27AE41E4649B934CA495991B7852B855"):
2749
continue
2750
if key_id and c.key_id == key_id:
2751
client = c
2752
break
2753
if fpr and c.fingerprint == fpr:
2581
if c.fingerprint == fpr:
2754
2582
client = c
2755
2583
break
2756
2584
else:
2757
log.info("Client not found for key ID: %s, address:"
2758
" %s", key_id or fpr, address)
2585
logger.info("Client not found for fingerprint: %s, ad"
2586
"dress: %s", fpr, address)
2759
2587
if self.use_dbus:
2760
2588
# Emit D-Bus signal
2761
mandos_dbus_service.ClientNotFound(key_id or fpr,
2589
mandos_dbus_service.ClientNotFound(fpr,
2762
2590
address[0])
2763
2591
parent_pipe.send(False)
2764
2592
return False
2765
2593
2766
2594
GLib.io_add_watch(
2767
GLib.IOChannel.unix_new(parent_pipe.fileno()),
2768
GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,
2595
parent_pipe.fileno(),
2596
GLib.IO_IN | GLib.IO_HUP,
2769
2597
functools.partial(self.handle_ipc,
2770
2598
parent_pipe=parent_pipe,
2771
2599
proc=proc,
2774
2602
# remove the old hook in favor of the new above hook on
2775
2603
# same fileno
2776
2604
return False
2777
if command == "funcall":
2605
if command == 'funcall':
2778
2606
funcname = request[1]
2779
2607
args = request[2]
2780
2608
kwargs = request[3]
2781
2609
2782
parent_pipe.send(("data", getattr(client_object,
2610
parent_pipe.send(('data', getattr(client_object,
2783
2611
funcname)(*args,
2784
2612
**kwargs)))
2785
2613
2786
if command == "getattr":
2614
if command == 'getattr':
2787
2615
attrname = request[1]
2788
2616
if isinstance(client_object.__getattribute__(attrname),
2789
collections.abc.Callable):
2790
parent_pipe.send(("function", ))
2617
collections.Callable):
2618
parent_pipe.send(('function', ))
2791
2619
else:
2792
2620
parent_pipe.send((
2793
"data", client_object.__getattribute__(attrname)))
2621
'data', client_object.__getattribute__(attrname)))
2794
2622
2795
if command == "setattr":
2623
if command == 'setattr':
2796
2624
attrname = request[1]
2797
2625
value = request[2]
2798
2626
setattr(client_object, attrname, value)
2803
2631
def rfc3339_duration_to_delta(duration):
2804
2632
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2805
2633
2806
>>> timedelta = datetime.timedelta
2807
>>> rfc3339_duration_to_delta("P7D") == timedelta(7)
2808
True
2809
>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)
2810
True
2811
>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)
2812
True
2813
>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)
2814
True
2815
>>> rfc3339_duration_to_delta("P1W") == timedelta(7)
2816
True
2817
>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)
2818
True
2819
>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)
2820
True
2821
>>> del timedelta
2634
>>> rfc3339_duration_to_delta("P7D")
2635
datetime.timedelta(7)
2636
>>> rfc3339_duration_to_delta("PT60S")
2637
datetime.timedelta(0, 60)
2638
>>> rfc3339_duration_to_delta("PT60M")
2639
datetime.timedelta(0, 3600)
2640
>>> rfc3339_duration_to_delta("PT24H")
2641
datetime.timedelta(1)
2642
>>> rfc3339_duration_to_delta("P1W")
2643
datetime.timedelta(7)
2644
>>> rfc3339_duration_to_delta("PT5M30S")
2645
datetime.timedelta(0, 330)
2646
>>> rfc3339_duration_to_delta("P1DT3M20S")
2647
datetime.timedelta(1, 200)
2822
2648
"""
2823
2649
2824
2650
# Parsing an RFC 3339 duration with regular expressions is not
2904
2730
def string_to_delta(interval):
2905
2731
"""Parse a string and return a datetime.timedelta
2906
2732
2907
>>> string_to_delta("7d") == datetime.timedelta(7)
2908
True
2909
>>> string_to_delta("60s") == datetime.timedelta(0, 60)
2910
True
2911
>>> string_to_delta("60m") == datetime.timedelta(0, 3600)
2912
True
2913
>>> string_to_delta("24h") == datetime.timedelta(1)
2914
True
2915
>>> string_to_delta("1w") == datetime.timedelta(7)
2916
True
2917
>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)
2918
True
2733
>>> string_to_delta('7d')
2734
datetime.timedelta(7)
2735
>>> string_to_delta('60s')
2736
datetime.timedelta(0, 60)
2737
>>> string_to_delta('60m')
2738
datetime.timedelta(0, 3600)
2739
>>> string_to_delta('24h')
2740
datetime.timedelta(1)
2741
>>> string_to_delta('1w')
2742
datetime.timedelta(7)
2743
>>> string_to_delta('5m 30s')
2744
datetime.timedelta(0, 330)
2919
2745
"""
2920
2746
2921
2747
try:
3023
2849
3024
2850
options = parser.parse_args()
3025
2851
2852
if options.check:
2853
import doctest
2854
fail_count, test_count = doctest.testmod()
2855
sys.exit(os.EX_OK if fail_count == 0 else 1)
2856
3026
2857
# Default values for config file for server-global settings
3027
if gnutls.has_rawpk:
3028
priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"
3029
":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")
3030
else:
3031
priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
3032
":+SIGN-DSA-SHA256")
3033
2858
server_defaults = {"interface": "",
3034
2859
"address": "",
3035
2860
"port": "",
3036
2861
"debug": "False",
3037
"priority": priority,
2862
"priority":
2863
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2864
":+SIGN-DSA-SHA256",
3038
2865
"servicename": "Mandos",
3039
2866
"use_dbus": "True",
3040
2867
"use_ipv6": "True",
3045
2872
"foreground": "False",
3046
2873
"zeroconf": "True",
3047
2874
}
3048
del priority
3049
2875
3050
2876
# Parse config file for server-global settings
3051
server_config = configparser.ConfigParser(server_defaults)
2877
server_config = configparser.SafeConfigParser(server_defaults)
3052
2878
del server_defaults
3053
2879
server_config.read(os.path.join(options.configdir, "mandos.conf"))
3054
# Convert the ConfigParser object to a dict
2880
# Convert the SafeConfigParser object to a dict
3055
2881
server_settings = server_config.defaults()
3056
2882
# Use the appropriate methods on the non-string config options
3057
for option in ("debug", "use_dbus", "use_ipv6", "restore",
3058
"foreground", "zeroconf"):
2883
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
3059
2884
server_settings[option] = server_config.getboolean("DEFAULT",
3060
2885
option)
3061
2886
if server_settings["port"]:
3124
2949
3125
2950
if server_settings["servicename"] != "Mandos":
3126
2951
syslogger.setFormatter(
3127
logging.Formatter("Mandos ({}) [%(process)d]:"
3128
" %(levelname)s: %(message)s".format(
2952
logging.Formatter('Mandos ({}) [%(process)d]:'
2953
' %(levelname)s: %(message)s'.format(
3129
2954
server_settings["servicename"])))
3130
2955
3131
2956
# Parse config file with clients
3132
client_config = configparser.ConfigParser(Client.client_defaults)
2957
client_config = configparser.SafeConfigParser(Client
2958
.client_defaults)
3133
2959
client_config.read(os.path.join(server_settings["configdir"],
3134
2960
"clients.conf"))
3135
2961
3155
2981
try:
3156
2982
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
3157
2983
except IOError as e:
3158
log.error("Could not open file %r", pidfilename,
3159
exc_info=e)
2984
logger.error("Could not open file %r", pidfilename,
2985
exc_info=e)
3160
2986
3161
2987
for name, group in (("_mandos", "_mandos"),
3162
2988
("mandos", "mandos"),
3173
2999
try:
3174
3000
os.setgid(gid)
3175
3001
os.setuid(uid)
3176
log.debug("Did setuid/setgid to %s:%s", uid, gid)
3002
if debug:
3003
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3004
gid))
3177
3005
except OSError as error:
3178
log.warning("Failed to setuid/setgid to %s:%s: %s", uid, gid,
3179
os.strerror(error.errno))
3006
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3007
.format(uid, gid, os.strerror(error.errno)))
3180
3008
if error.errno != errno.EPERM:
3181
3009
raise
3182
3010
3189
3017
3190
3018
@gnutls.log_func
3191
3019
def debug_gnutls(level, string):
3192
log.debug("GnuTLS: %s",
3193
string[:-1].decode("utf-8", errors="replace"))
3020
logger.debug("GnuTLS: %s", string[:-1])
3194
3021
3195
3022
gnutls.global_set_log_function(debug_gnutls)
3196
3023
3205
3032
# Close all input and output, do double fork, etc.
3206
3033
daemon()
3207
3034
3208
if gi.version_info < (3, 10, 2):
3209
# multiprocessing will use threads, so before we use GLib we
3210
# need to inform GLib that threads will be used.
3211
GLib.threads_init()
3035
# multiprocessing will use threads, so before we use GLib we need
3036
# to inform GLib that threads will be used.
3037
GLib.threads_init()
3212
3038
3213
3039
global main_loop
3214
3040
# From the Avahi example code
3225
3051
"se.bsnet.fukt.Mandos", bus,
3226
3052
do_not_queue=True)
3227
3053
except dbus.exceptions.DBusException as e:
3228
log.error("Disabling D-Bus:", exc_info=e)
3054
logger.error("Disabling D-Bus:", exc_info=e)
3229
3055
use_dbus = False
3230
3056
server_settings["use_dbus"] = False
3231
3057
tcp_server.use_dbus = False
3290
3116
if isinstance(s, bytes)
3291
3117
else s) for s in
3292
3118
value["client_structure"]]
3293
# .name, .host, and .checker_command
3294
for k in ("name", "host", "checker_command"):
3119
# .name & .host
3120
for k in ("name", "host"):
3295
3121
if isinstance(value[k], bytes):
3296
3122
value[k] = value[k].decode("utf-8")
3297
if "key_id" not in value:
3298
value["key_id"] = ""
3299
elif "fingerprint" not in value:
3300
value["fingerprint"] = ""
3301
3123
# old_client_settings
3302
3124
# .keys()
3303
3125
old_client_settings = {
3307
3129
for key, value in
3308
3130
bytes_old_client_settings.items()}
3309
3131
del bytes_old_client_settings
3310
# .host and .checker_command
3132
# .host
3311
3133
for value in old_client_settings.values():
3312
for attribute in ("host", "checker_command"):
3313
if isinstance(value[attribute], bytes):
3314
value[attribute] = (value[attribute]
3315
.decode("utf-8"))
3134
if isinstance(value["host"], bytes):
3135
value["host"] = (value["host"]
3136
.decode("utf-8"))
3316
3137
os.remove(stored_state_path)
3317
3138
except IOError as e:
3318
3139
if e.errno == errno.ENOENT:
3319
log.warning("Could not load persistent state:"
3320
" %s", os.strerror(e.errno))
3140
logger.warning("Could not load persistent state:"
3141
" {}".format(os.strerror(e.errno)))
3321
3142
else:
3322
log.critical("Could not load persistent state:",
3323
exc_info=e)
3143
logger.critical("Could not load persistent state:",
3144
exc_info=e)
3324
3145
raise
3325
3146
except EOFError as e:
3326
log.warning("Could not load persistent state: EOFError:",
3327
exc_info=e)
3147
logger.warning("Could not load persistent state: "
3148
"EOFError:",
3149
exc_info=e)
3328
3150
3329
3151
with PGPEngine() as pgp:
3330
3152
for client_name, client in clients_data.items():
3357
3179
if client["enabled"]:
3358
3180
if datetime.datetime.utcnow() >= client["expires"]:
3359
3181
if not client["last_checked_ok"]:
3360
log.warning("disabling client %s - Client"
3361
" never performed a successful"
3362
" checker", client_name)
3182
logger.warning(
3183
"disabling client {} - Client never "
3184
"performed a successful checker".format(
3185
client_name))
3363
3186
client["enabled"] = False
3364
3187
elif client["last_checker_status"] != 0:
3365
log.warning("disabling client %s - Client"
3366
" last checker failed with error"
3367
" code %s", client_name,
3368
client["last_checker_status"])
3188
logger.warning(
3189
"disabling client {} - Client last"
3190
" checker failed with error code"
3191
" {}".format(
3192
client_name,
3193
client["last_checker_status"]))
3369
3194
client["enabled"] = False
3370
3195
else:
3371
3196
client["expires"] = (
3372
3197
datetime.datetime.utcnow()
3373
3198
+ client["timeout"])
3374
log.debug("Last checker succeeded, keeping %s"
3375
" enabled", client_name)
3199
logger.debug("Last checker succeeded,"
3200
" keeping {} enabled".format(
3201
client_name))
3376
3202
try:
3377
3203
client["secret"] = pgp.decrypt(
3378
3204
client["encrypted_secret"],
3379
3205
client_settings[client_name]["secret"])
3380
3206
except PGPError:
3381
3207
# If decryption fails, we use secret from new settings
3382
log.debug("Failed to decrypt %s old secret",
3383
client_name)
3208
logger.debug("Failed to decrypt {} old secret".format(
3209
client_name))
3384
3210
client["secret"] = (client_settings[client_name]
3385
3211
["secret"])
3386
3212
3400
3226
server_settings=server_settings)
3401
3227
3402
3228
if not tcp_server.clients:
3403
log.warning("No clients defined")
3229
logger.warning("No clients defined")
3404
3230
3405
3231
if not foreground:
3406
3232
if pidfile is not None:
3409
3235
with pidfile:
3410
3236
print(pid, file=pidfile)
3411
3237
except IOError:
3412
log.error("Could not write to file %r with PID %d",
3413
pidfilename, pid)
3238
logger.error("Could not write to file %r with PID %d",
3239
pidfilename, pid)
3414
3240
del pidfile
3415
3241
del pidfilename
3416
3242
3436
3262
pass
3437
3263
3438
3264
@dbus.service.signal(_interface, signature="ss")
3439
def ClientNotFound(self, key_id, address):
3265
def ClientNotFound(self, fingerprint, address):
3440
3266
"D-Bus signal"
3441
3267
pass
3442
3268
3566
3392
3567
3393
try:
3568
3394
with tempfile.NamedTemporaryFile(
3569
mode="wb",
3395
mode='wb',
3570
3396
suffix=".pickle",
3571
prefix="clients-",
3397
prefix='clients-',
3572
3398
dir=os.path.dirname(stored_state_path),
3573
3399
delete=False) as stored_state:
3574
3400
pickle.dump((clients, client_settings), stored_state,
3582
3408
except NameError:
3583
3409
pass
3584
3410
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
3585
log.warning("Could not save persistent state: %s",
3586
os.strerror(e.errno))
3411
logger.warning("Could not save persistent state: {}"
3412
.format(os.strerror(e.errno)))
3587
3413
else:
3588
log.warning("Could not save persistent state:",
3589
exc_info=e)
3414
logger.warning("Could not save persistent state:",
3415
exc_info=e)
3590
3416
raise
3591
3417
3592
3418
# Delete all clients, and settings from config
3618
3444
if zeroconf:
3619
3445
service.port = tcp_server.socket.getsockname()[1]
3620
3446
if use_ipv6:
3621
log.info("Now listening on address %r, port %d, flowinfo %d,"
3622
" scope_id %d", *tcp_server.socket.getsockname())
3447
logger.info("Now listening on address %r, port %d,"
3448
" flowinfo %d, scope_id %d",
3449
*tcp_server.socket.getsockname())
3623
3450
else: # IPv4
3624
log.info("Now listening on address %r, port %d",
3625
*tcp_server.socket.getsockname())
3451
logger.info("Now listening on address %r, port %d",
3452
*tcp_server.socket.getsockname())
3626
3453
3627
3454
# service.interface = tcp_server.socket.getsockname()[3]
3628
3455
3632
3459
try:
3633
3460
service.activate()
3634
3461
except dbus.exceptions.DBusException as error:
3635
log.critical("D-Bus Exception", exc_info=error)
3462
logger.critical("D-Bus Exception", exc_info=error)
3636
3463
cleanup()
3637
3464
sys.exit(1)
3638
3465
# End of Avahi example code
3639
3466
3640
GLib.io_add_watch(
3641
GLib.IOChannel.unix_new(tcp_server.fileno()),
3642
GLib.PRIORITY_DEFAULT, GLib.IO_IN,
3643
lambda *args, **kwargs: (tcp_server.handle_request
3644
(*args[2:], **kwargs) or True))
3467
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3468
lambda *args, **kwargs:
3469
(tcp_server.handle_request
3470
(*args[2:], **kwargs) or True))
3645
3471
3646
log.debug("Starting main loop")
3472
logger.debug("Starting main loop")
3647
3473
main_loop.run()
3648
3474
except AvahiError as error:
3649
log.critical("Avahi Error", exc_info=error)
3475
logger.critical("Avahi Error", exc_info=error)
3650
3476
cleanup()
3651
3477
sys.exit(1)
3652
3478
except KeyboardInterrupt:
3653
3479
if debug:
3654
3480
print("", file=sys.stderr)
3655
log.debug("Server received KeyboardInterrupt")
3656
log.debug("Server exiting")
3481
logger.debug("Server received KeyboardInterrupt")
3482
logger.debug("Server exiting")
3657
3483
# Must run before the D-Bus bus name gets deregistered
3658
3484
cleanup()
3659
3485
3660
3661
def parse_test_args():
3662
# type: () -> argparse.Namespace
3663
parser = argparse.ArgumentParser(add_help=False)
3664
parser.add_argument("--check", action="store_true")
3665
parser.add_argument("--prefix", )
3666
args, unknown_args = parser.parse_known_args()
3667
if args.check:
3668
# Remove test options from sys.argv
3669
sys.argv[1:] = unknown_args
3670
return args
3671
3672
# Add all tests from doctest strings
3673
def load_tests(loader, tests, none):
3674
import doctest
3675
tests.addTests(doctest.DocTestSuite())
3676
return tests
3677
3678
if __name__ == "__main__":
3679
options = parse_test_args()
3680
try:
3681
if options.check:
3682
extra_test_prefix = options.prefix
3683
if extra_test_prefix is not None:
3684
if not (unittest.main(argv=[""], exit=False)
3685
.result.wasSuccessful()):
3686
sys.exit(1)
3687
class ExtraTestLoader(unittest.TestLoader):
3688
testMethodPrefix = extra_test_prefix
3689
# Call using ./scriptname --test [--verbose]
3690
unittest.main(argv=[""], testLoader=ExtraTestLoader())
3691
else:
3692
unittest.main(argv=[""])
3693
else:
3694
main()
3695
finally:
3696
logging.shutdown()
3697
3698
# Local Variables:
3699
# run-tests:
3700
# (lambda (&optional extra)
3701
# (if (not (funcall run-tests-in-test-buffer default-directory
3702
# extra))
3703
# (funcall show-test-buffer-in-test-window)
3704
# (funcall remove-test-window)
3705
# (if extra (message "Extra tests run successfully!"))))
3706
# run-tests-in-test-buffer:
3707
# (lambda (dir &optional extra)
3708
# (with-current-buffer (get-buffer-create "*Test*")
3709
# (setq buffer-read-only nil
3710
# default-directory dir)
3711
# (erase-buffer)
3712
# (compilation-mode))
3713
# (let ((process-result
3714
# (let ((inhibit-read-only t))
3715
# (process-file-shell-command
3716
# (funcall get-command-line extra) nil "*Test*"))))
3717
# (and (numberp process-result)
3718
# (= process-result 0))))
3719
# get-command-line:
3720
# (lambda (&optional extra)
3721
# (let ((quoted-script
3722
# (shell-quote-argument (funcall get-script-name))))
3723
# (format
3724
# (concat "%s --check" (if extra " --prefix=atest" ""))
3725
# quoted-script)))
3726
# get-script-name:
3727
# (lambda ()
3728
# (if (fboundp 'file-local-name)
3729
# (file-local-name (buffer-file-name))
3730
# (or (file-remote-p (buffer-file-name) 'localname)
3731
# (buffer-file-name))))
3732
# remove-test-window:
3733
# (lambda ()
3734
# (let ((test-window (get-buffer-window "*Test*")))
3735
# (if test-window (delete-window test-window))))
3736
# show-test-buffer-in-test-window:
3737
# (lambda ()
3738
# (when (not (get-buffer-window-list "*Test*"))
3739
# (setq next-error-last-buffer (get-buffer "*Test*"))
3740
# (let* ((side (if (>= (window-width) 146) 'right 'bottom))
3741
# (display-buffer-overriding-action
3742
# `((display-buffer-in-side-window) (side . ,side)
3743
# (window-height . fit-window-to-buffer)
3744
# (window-width . fit-window-to-buffer))))
3745
# (display-buffer "*Test*"))))
3746
# eval:
3747
# (progn
3748
# (let* ((run-extra-tests (lambda () (interactive)
3749
# (funcall run-tests t)))
3750
# (inner-keymap `(keymap (116 . ,run-extra-tests))) ; t
3751
# (outer-keymap `(keymap (3 . ,inner-keymap)))) ; C-c
3752
# (setq minor-mode-overriding-map-alist
3753
# (cons `(run-tests . ,outer-keymap)
3754
# minor-mode-overriding-map-alist)))
3755
# (add-hook 'after-save-hook run-tests 90 t))
3756
# End:
3486
3487
if __name__ == '__main__':
3488
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0