To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 874
- compare with another revision
- download diff
- download tarball
- view history from revision 874
- Committer: Teddy Hogeborn
- Date: 2016-08-25 17:37:05 UTC
- Revision ID: teddy@recompile.se-20160825173705-q2v6lban8ph9uw75
PEP8 compliance: mandos
* mandos: Add PEP8 compliance (as per the "pycodestyle" tool).
* mandos: Add PEP8 compliance (as per the "pycodestyle" tool).
added
removed
mandos
1
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2013 Teddy Hogeborn
15
# Copyright © 2008-2013 Björn Påhlsson
16
#
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
19
19
# the Free Software Foundation, either version 3 of the License, or
23
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
25
# GNU General Public License for more details.
26
#
26
#
27
27
# You should have received a copy of the GNU General Public License
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
#
30
#
31
31
# Contact the authors at <mandos@recompile.se>.
32
#
32
#
33
33
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
from future_builtins import *
37
try:
38
from future_builtins import *
39
except ImportError:
40
pass
38
41
39
import SocketServer as socketserver
42
try:
43
import SocketServer as socketserver
44
except ImportError:
45
import socketserver
40
46
import socket
41
47
import argparse
42
48
import datetime
43
49
import errno
44
import gnutls.crypto
45
import gnutls.connection
46
import gnutls.errors
47
import gnutls.library.functions
48
import gnutls.library.constants
49
import gnutls.library.types
50
import ConfigParser as configparser
50
try:
51
import ConfigParser as configparser
52
except ImportError:
53
import configparser
51
54
import sys
52
55
import re
53
56
import os
62
65
import struct
63
66
import fcntl
64
67
import functools
65
import cPickle as pickle
68
try:
69
import cPickle as pickle
70
except ImportError:
71
import pickle
66
72
import multiprocessing
67
73
import types
68
74
import binascii
69
75
import tempfile
70
76
import itertools
71
77
import collections
78
import codecs
72
79
73
80
import dbus
74
81
import dbus.service
75
import gobject
76
import avahi
82
from gi.repository import GLib
77
83
from dbus.mainloop.glib import DBusGMainLoop
78
84
import ctypes
79
85
import ctypes.util
80
86
import xml.dom.minidom
81
87
import inspect
82
88
89
# Try to find the value of SO_BINDTODEVICE:
83
90
try:
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
92
# newer, and it is also the most natural place for it:
84
93
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
85
94
except AttributeError:
86
95
try:
96
# This is where SO_BINDTODEVICE was up to and including Python
97
# 2.6, and also 3.2:
87
98
from IN import SO_BINDTODEVICE
88
99
except ImportError:
89
SO_BINDTODEVICE = None
90
91
version = "1.6.2"
100
# In Python 2.7 it seems to have been removed entirely.
101
# Try running the C preprocessor:
102
try:
103
cc = subprocess.Popen(["cc", "--language=c", "-E",
104
"/dev/stdin"],
105
stdin=subprocess.PIPE,
106
stdout=subprocess.PIPE)
107
stdout = cc.communicate(
108
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
109
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
110
except (OSError, ValueError, IndexError):
111
# No value found
112
SO_BINDTODEVICE = None
113
114
if sys.version_info.major == 2:
115
str = unicode
116
117
version = "1.7.10"
92
118
stored_state_file = "clients.pickle"
93
119
94
120
logger = logging.getLogger()
95
syslogger = (logging.handlers.SysLogHandler
96
(facility = logging.handlers.SysLogHandler.LOG_DAEMON,
97
address = str("/dev/log")))
121
syslogger = None
98
122
99
123
try:
100
if_nametoindex = (ctypes.cdll.LoadLibrary
101
(ctypes.util.find_library("c"))
102
.if_nametoindex)
124
if_nametoindex = ctypes.cdll.LoadLibrary(
125
ctypes.util.find_library("c")).if_nametoindex
103
126
except (OSError, AttributeError):
127
104
128
def if_nametoindex(interface):
105
129
"Get an interface index the hard way, i.e. using fcntl()"
106
130
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
107
131
with contextlib.closing(socket.socket()) as s:
108
132
ifreq = fcntl.ioctl(s, SIOCGIFINDEX,
109
struct.pack(str("16s16x"),
110
interface))
111
interface_index = struct.unpack(str("I"),
112
ifreq[16:20])[0]
133
struct.pack(b"16s16x", interface))
134
interface_index = struct.unpack("I", ifreq[16:20])[0]
113
135
return interface_index
114
136
115
137
138
def copy_function(func):
139
"""Make a copy of a function"""
140
if sys.version_info.major == 2:
141
return types.FunctionType(func.func_code,
142
func.func_globals,
143
func.func_name,
144
func.func_defaults,
145
func.func_closure)
146
else:
147
return types.FunctionType(func.__code__,
148
func.__globals__,
149
func.__name__,
150
func.__defaults__,
151
func.__closure__)
152
153
116
154
def initlogger(debug, level=logging.WARNING):
117
155
"""init logger and add loglevel"""
118
156
157
global syslogger
158
syslogger = (logging.handlers.SysLogHandler(
159
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
160
address="/dev/log"))
119
161
syslogger.setFormatter(logging.Formatter
120
162
('Mandos [%(process)d]: %(levelname)s:'
121
163
' %(message)s'))
122
164
logger.addHandler(syslogger)
123
165
124
166
if debug:
125
167
console = logging.StreamHandler()
126
168
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
138
180
139
181
class PGPEngine(object):
140
182
"""A simple class for OpenPGP symmetric encryption & decryption"""
183
141
184
def __init__(self):
142
185
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
186
self.gpg = "gpg"
187
try:
188
output = subprocess.check_output(["gpgconf"])
189
for line in output.splitlines():
190
name, text, path = line.split(b":")
191
if name == "gpg":
192
self.gpg = path
193
break
194
except OSError as e:
195
if e.errno != errno.ENOENT:
196
raise
143
197
self.gnupgargs = ['--batch',
144
'--home', self.tempdir,
198
'--homedir', self.tempdir,
145
199
'--force-mdc',
146
'--quiet',
147
'--no-use-agent']
148
200
'--quiet']
201
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
203
self.gnupgargs.append("--no-use-agent")
204
149
205
def __enter__(self):
150
206
return self
151
207
152
208
def __exit__(self, exc_type, exc_value, traceback):
153
209
self._cleanup()
154
210
return False
155
211
156
212
def __del__(self):
157
213
self._cleanup()
158
214
159
215
def _cleanup(self):
160
216
if self.tempdir is not None:
161
217
# Delete contents of tempdir
162
218
for root, dirs, files in os.walk(self.tempdir,
163
topdown = False):
219
topdown=False):
164
220
for filename in files:
165
221
os.remove(os.path.join(root, filename))
166
222
for dirname in dirs:
168
224
# Remove tempdir
169
225
os.rmdir(self.tempdir)
170
226
self.tempdir = None
171
227
172
228
def password_encode(self, password):
173
229
# Passphrase can not be empty and can not contain newlines or
174
230
# NUL bytes. So we prefix it and hex encode it.
179
235
.replace(b"\n", b"\\n")
180
236
.replace(b"\0", b"\\x00"))
181
237
return encoded
182
238
183
239
def encrypt(self, data, password):
184
240
passphrase = self.password_encode(password)
185
with tempfile.NamedTemporaryFile(dir=self.tempdir
186
) as passfile:
241
with tempfile.NamedTemporaryFile(
242
dir=self.tempdir) as passfile:
187
243
passfile.write(passphrase)
188
244
passfile.flush()
189
proc = subprocess.Popen(['gpg', '--symmetric',
245
proc = subprocess.Popen([self.gpg, '--symmetric',
190
246
'--passphrase-file',
191
247
passfile.name]
192
248
+ self.gnupgargs,
193
stdin = subprocess.PIPE,
194
stdout = subprocess.PIPE,
195
stderr = subprocess.PIPE)
196
ciphertext, err = proc.communicate(input = data)
249
stdin=subprocess.PIPE,
250
stdout=subprocess.PIPE,
251
stderr=subprocess.PIPE)
252
ciphertext, err = proc.communicate(input=data)
197
253
if proc.returncode != 0:
198
254
raise PGPError(err)
199
255
return ciphertext
200
256
201
257
def decrypt(self, data, password):
202
258
passphrase = self.password_encode(password)
203
with tempfile.NamedTemporaryFile(dir = self.tempdir
204
) as passfile:
259
with tempfile.NamedTemporaryFile(
260
dir=self.tempdir) as passfile:
205
261
passfile.write(passphrase)
206
262
passfile.flush()
207
proc = subprocess.Popen(['gpg', '--decrypt',
263
proc = subprocess.Popen([self.gpg, '--decrypt',
208
264
'--passphrase-file',
209
265
passfile.name]
210
266
+ self.gnupgargs,
211
stdin = subprocess.PIPE,
212
stdout = subprocess.PIPE,
213
stderr = subprocess.PIPE)
214
decrypted_plaintext, err = proc.communicate(input
215
= data)
267
stdin=subprocess.PIPE,
268
stdout=subprocess.PIPE,
269
stderr=subprocess.PIPE)
270
decrypted_plaintext, err = proc.communicate(input=data)
216
271
if proc.returncode != 0:
217
272
raise PGPError(err)
218
273
return decrypted_plaintext
219
274
220
275
276
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
def string_array_to_txt_array(self, t):
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
for s in t), signature="ay")
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
293
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
294
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
295
SERVER_INVALID = 0 # avahi-common/defs.h
296
SERVER_REGISTERING = 1 # avahi-common/defs.h
297
SERVER_RUNNING = 2 # avahi-common/defs.h
298
SERVER_COLLISION = 3 # avahi-common/defs.h
299
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
302
221
303
class AvahiError(Exception):
222
304
def __init__(self, value, *args, **kwargs):
223
305
self.value = value
224
super(AvahiError, self).__init__(value, *args, **kwargs)
225
def __unicode__(self):
226
return unicode(repr(self.value))
306
return super(AvahiError, self).__init__(value, *args,
307
**kwargs)
308
227
309
228
310
class AvahiServiceError(AvahiError):
229
311
pass
230
312
313
231
314
class AvahiGroupError(AvahiError):
232
315
pass
233
316
234
317
235
318
class AvahiService(object):
236
319
"""An Avahi (Zeroconf) service.
237
320
238
321
Attributes:
239
322
interface: integer; avahi.IF_UNSPEC or an interface index.
240
323
Used to optionally bind to the specified interface.
252
335
server: D-Bus Server
253
336
bus: dbus.SystemBus()
254
337
"""
255
256
def __init__(self, interface = avahi.IF_UNSPEC, name = None,
257
servicetype = None, port = None, TXT = None,
258
domain = "", host = "", max_renames = 32768,
259
protocol = avahi.PROTO_UNSPEC, bus = None):
338
339
def __init__(self,
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
260
350
self.interface = interface
261
351
self.name = name
262
352
self.type = servicetype
271
361
self.server = None
272
362
self.bus = bus
273
363
self.entry_group_state_changed_match = None
274
275
def rename(self):
364
365
def rename(self, remove=True):
276
366
"""Derived from the Avahi example code"""
277
367
if self.rename_count >= self.max_renames:
278
368
logger.critical("No suitable Zeroconf service name found"
279
369
" after %i retries, exiting.",
280
370
self.rename_count)
281
371
raise AvahiServiceError("Too many renames")
282
self.name = unicode(self.server
283
.GetAlternativeServiceName(self.name))
372
self.name = str(
373
self.server.GetAlternativeServiceName(self.name))
374
self.rename_count += 1
284
375
logger.info("Changing Zeroconf service name to %r ...",
285
376
self.name)
286
self.remove()
377
if remove:
378
self.remove()
287
379
try:
288
380
self.add()
289
381
except dbus.exceptions.DBusException as error:
290
logger.critical("D-Bus Exception", exc_info=error)
291
self.cleanup()
292
os._exit(1)
293
self.rename_count += 1
294
382
if (error.get_dbus_name()
383
== "org.freedesktop.Avahi.CollisionError"):
384
logger.info("Local Zeroconf service name collision.")
385
return self.rename(remove=False)
386
else:
387
logger.critical("D-Bus Exception", exc_info=error)
388
self.cleanup()
389
os._exit(1)
390
295
391
def remove(self):
296
392
"""Derived from the Avahi example code"""
297
393
if self.entry_group_state_changed_match is not None:
299
395
self.entry_group_state_changed_match = None
300
396
if self.group is not None:
301
397
self.group.Reset()
302
398
303
399
def add(self):
304
400
"""Derived from the Avahi example code"""
305
401
self.remove()
322
418
dbus.UInt16(self.port),
323
419
avahi.string_array_to_txt_array(self.TXT))
324
420
self.group.Commit()
325
421
326
422
def entry_group_state_changed(self, state, error):
327
423
"""Derived from the Avahi example code"""
328
424
logger.debug("Avahi entry group state change: %i", state)
329
425
330
426
if state == avahi.ENTRY_GROUP_ESTABLISHED:
331
427
logger.debug("Zeroconf service established.")
332
428
elif state == avahi.ENTRY_GROUP_COLLISION:
334
430
self.rename()
335
431
elif state == avahi.ENTRY_GROUP_FAILURE:
336
432
logger.critical("Avahi: Error in group state changed %s",
337
unicode(error))
338
raise AvahiGroupError("State changed: {0!s}"
339
.format(error))
340
433
str(error))
434
raise AvahiGroupError("State changed: {!s}".format(error))
435
341
436
def cleanup(self):
342
437
"""Derived from the Avahi example code"""
343
438
if self.group is not None:
348
443
pass
349
444
self.group = None
350
445
self.remove()
351
446
352
447
def server_state_changed(self, state, error=None):
353
448
"""Derived from the Avahi example code"""
354
449
logger.debug("Avahi server state change: %i", state)
355
bad_states = { avahi.SERVER_INVALID:
356
"Zeroconf server invalid",
357
avahi.SERVER_REGISTERING: None,
358
avahi.SERVER_COLLISION:
359
"Zeroconf server name collision",
360
avahi.SERVER_FAILURE:
361
"Zeroconf server failure" }
450
bad_states = {
451
avahi.SERVER_INVALID: "Zeroconf server invalid",
452
avahi.SERVER_REGISTERING: None,
453
avahi.SERVER_COLLISION: "Zeroconf server name collision",
454
avahi.SERVER_FAILURE: "Zeroconf server failure",
455
}
362
456
if state in bad_states:
363
457
if bad_states[state] is not None:
364
458
if error is None:
367
461
logger.error(bad_states[state] + ": %r", error)
368
462
self.cleanup()
369
463
elif state == avahi.SERVER_RUNNING:
370
self.add()
464
try:
465
self.add()
466
except dbus.exceptions.DBusException as error:
467
if (error.get_dbus_name()
468
== "org.freedesktop.Avahi.CollisionError"):
469
logger.info("Local Zeroconf service name"
470
" collision.")
471
return self.rename(remove=False)
472
else:
473
logger.critical("D-Bus Exception", exc_info=error)
474
self.cleanup()
475
os._exit(1)
371
476
else:
372
477
if error is None:
373
478
logger.debug("Unknown state: %r", state)
374
479
else:
375
480
logger.debug("Unknown state: %r: %r", state, error)
376
481
377
482
def activate(self):
378
483
"""Derived from the Avahi example code"""
379
484
if self.server is None:
383
488
follow_name_owner_changes=True),
384
489
avahi.DBUS_INTERFACE_SERVER)
385
490
self.server.connect_to_signal("StateChanged",
386
self.server_state_changed)
491
self.server_state_changed)
387
492
self.server_state_changed(self.server.GetState())
388
493
389
494
390
495
class AvahiServiceToSyslog(AvahiService):
391
def rename(self):
496
def rename(self, *args, **kwargs):
392
497
"""Add the new name to the syslog messages"""
393
ret = AvahiService.rename(self)
394
syslogger.setFormatter(logging.Formatter
395
('Mandos ({0}) [%(process)d]:'
396
' %(levelname)s: %(message)s'
397
.format(self.name)))
498
ret = AvahiService.rename(self, *args, **kwargs)
499
syslogger.setFormatter(logging.Formatter(
500
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
501
.format(self.name)))
398
502
return ret
399
503
400
504
401
def timedelta_to_milliseconds(td):
402
"Convert a datetime.timedelta() to milliseconds"
403
return ((td.days * 24 * 60 * 60 * 1000)
404
+ (td.seconds * 1000)
405
+ (td.microseconds // 1000))
505
# Pretend that we have a GnuTLS module
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
509
510
_library = ctypes.cdll.LoadLibrary(
511
ctypes.util.find_library("gnutls"))
512
_need_version = b"3.3.0"
513
514
def __init__(self):
515
# Need to use class name "GnuTLS" here, since this method is
516
# called before the assignment to the "gnutls" global variable
517
# happens.
518
if GnuTLS.check_version(self._need_version) is None:
519
raise GnuTLS.Error("Needs GnuTLS {} or later"
520
.format(self._need_version))
521
522
# Unless otherwise indicated, the constants and types below are
523
# all from the gnutls/gnutls.h C header file.
524
525
# Constants
526
E_SUCCESS = 0
527
E_INTERRUPTED = -52
528
E_AGAIN = -28
529
CRT_OPENPGP = 2
530
CLIENT = 2
531
SHUT_RDWR = 0
532
CRD_CERTIFICATE = 1
533
E_NO_CERTIFICATE_FOUND = -49
534
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
535
536
# Types
537
class session_int(ctypes.Structure):
538
_fields_ = []
539
session_t = ctypes.POINTER(session_int)
540
541
class certificate_credentials_st(ctypes.Structure):
542
_fields_ = []
543
certificate_credentials_t = ctypes.POINTER(
544
certificate_credentials_st)
545
certificate_type_t = ctypes.c_int
546
547
class datum_t(ctypes.Structure):
548
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
549
('size', ctypes.c_uint)]
550
551
class openpgp_crt_int(ctypes.Structure):
552
_fields_ = []
553
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
554
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
555
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
556
credentials_type_t = ctypes.c_int
557
transport_ptr_t = ctypes.c_void_p
558
close_request_t = ctypes.c_int
559
560
# Exceptions
561
class Error(Exception):
562
# We need to use the class name "GnuTLS" here, since this
563
# exception might be raised from within GnuTLS.__init__,
564
# which is called before the assignment to the "gnutls"
565
# global variable has happened.
566
def __init__(self, message=None, code=None, args=()):
567
# Default usage is by a message string, but if a return
568
# code is passed, convert it to a string with
569
# gnutls.strerror()
570
self.code = code
571
if message is None and code is not None:
572
message = GnuTLS.strerror(code)
573
return super(GnuTLS.Error, self).__init__(
574
message, *args)
575
576
class CertificateSecurityError(Error):
577
pass
578
579
# Classes
580
class Credentials(object):
581
def __init__(self):
582
self._c_object = gnutls.certificate_credentials_t()
583
gnutls.certificate_allocate_credentials(
584
ctypes.byref(self._c_object))
585
self.type = gnutls.CRD_CERTIFICATE
586
587
def __del__(self):
588
gnutls.certificate_free_credentials(self._c_object)
589
590
class ClientSession(object):
591
def __init__(self, socket, credentials=None):
592
self._c_object = gnutls.session_t()
593
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
594
gnutls.set_default_priority(self._c_object)
595
gnutls.transport_set_ptr(self._c_object, socket.fileno())
596
gnutls.handshake_set_private_extensions(self._c_object,
597
True)
598
self.socket = socket
599
if credentials is None:
600
credentials = gnutls.Credentials()
601
gnutls.credentials_set(self._c_object, credentials.type,
602
ctypes.cast(credentials._c_object,
603
ctypes.c_void_p))
604
self.credentials = credentials
605
606
def __del__(self):
607
gnutls.deinit(self._c_object)
608
609
def handshake(self):
610
return gnutls.handshake(self._c_object)
611
612
def send(self, data):
613
data = bytes(data)
614
data_len = len(data)
615
while data_len > 0:
616
data_len -= gnutls.record_send(self._c_object,
617
data[-data_len:],
618
data_len)
619
620
def bye(self):
621
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
622
623
# Error handling functions
624
def _error_code(result):
625
"""A function to raise exceptions on errors, suitable
626
for the 'restype' attribute on ctypes functions"""
627
if result >= 0:
628
return result
629
if result == gnutls.E_NO_CERTIFICATE_FOUND:
630
raise gnutls.CertificateSecurityError(code=result)
631
raise gnutls.Error(code=result)
632
633
def _retry_on_error(result, func, arguments):
634
"""A function to retry on some errors, suitable
635
for the 'errcheck' attribute on ctypes functions"""
636
while result < 0:
637
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
638
return _error_code(result)
639
result = func(*arguments)
640
return result
641
642
# Unless otherwise indicated, the function declarations below are
643
# all from the gnutls/gnutls.h C header file.
644
645
# Functions
646
priority_set_direct = _library.gnutls_priority_set_direct
647
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
648
ctypes.POINTER(ctypes.c_char_p)]
649
priority_set_direct.restype = _error_code
650
651
init = _library.gnutls_init
652
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
653
init.restype = _error_code
654
655
set_default_priority = _library.gnutls_set_default_priority
656
set_default_priority.argtypes = [session_t]
657
set_default_priority.restype = _error_code
658
659
record_send = _library.gnutls_record_send
660
record_send.argtypes = [session_t, ctypes.c_void_p,
661
ctypes.c_size_t]
662
record_send.restype = ctypes.c_ssize_t
663
record_send.errcheck = _retry_on_error
664
665
certificate_allocate_credentials = (
666
_library.gnutls_certificate_allocate_credentials)
667
certificate_allocate_credentials.argtypes = [
668
ctypes.POINTER(certificate_credentials_t)]
669
certificate_allocate_credentials.restype = _error_code
670
671
certificate_free_credentials = (
672
_library.gnutls_certificate_free_credentials)
673
certificate_free_credentials.argtypes = [
674
certificate_credentials_t]
675
certificate_free_credentials.restype = None
676
677
handshake_set_private_extensions = (
678
_library.gnutls_handshake_set_private_extensions)
679
handshake_set_private_extensions.argtypes = [session_t,
680
ctypes.c_int]
681
handshake_set_private_extensions.restype = None
682
683
credentials_set = _library.gnutls_credentials_set
684
credentials_set.argtypes = [session_t, credentials_type_t,
685
ctypes.c_void_p]
686
credentials_set.restype = _error_code
687
688
strerror = _library.gnutls_strerror
689
strerror.argtypes = [ctypes.c_int]
690
strerror.restype = ctypes.c_char_p
691
692
certificate_type_get = _library.gnutls_certificate_type_get
693
certificate_type_get.argtypes = [session_t]
694
certificate_type_get.restype = _error_code
695
696
certificate_get_peers = _library.gnutls_certificate_get_peers
697
certificate_get_peers.argtypes = [session_t,
698
ctypes.POINTER(ctypes.c_uint)]
699
certificate_get_peers.restype = ctypes.POINTER(datum_t)
700
701
global_set_log_level = _library.gnutls_global_set_log_level
702
global_set_log_level.argtypes = [ctypes.c_int]
703
global_set_log_level.restype = None
704
705
global_set_log_function = _library.gnutls_global_set_log_function
706
global_set_log_function.argtypes = [log_func]
707
global_set_log_function.restype = None
708
709
deinit = _library.gnutls_deinit
710
deinit.argtypes = [session_t]
711
deinit.restype = None
712
713
handshake = _library.gnutls_handshake
714
handshake.argtypes = [session_t]
715
handshake.restype = _error_code
716
handshake.errcheck = _retry_on_error
717
718
transport_set_ptr = _library.gnutls_transport_set_ptr
719
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
720
transport_set_ptr.restype = None
721
722
bye = _library.gnutls_bye
723
bye.argtypes = [session_t, close_request_t]
724
bye.restype = _error_code
725
bye.errcheck = _retry_on_error
726
727
check_version = _library.gnutls_check_version
728
check_version.argtypes = [ctypes.c_char_p]
729
check_version.restype = ctypes.c_char_p
730
731
# All the function declarations below are from gnutls/openpgp.h
732
733
openpgp_crt_init = _library.gnutls_openpgp_crt_init
734
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
735
openpgp_crt_init.restype = _error_code
736
737
openpgp_crt_import = _library.gnutls_openpgp_crt_import
738
openpgp_crt_import.argtypes = [openpgp_crt_t,
739
ctypes.POINTER(datum_t),
740
openpgp_crt_fmt_t]
741
openpgp_crt_import.restype = _error_code
742
743
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
744
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
745
ctypes.POINTER(ctypes.c_uint)]
746
openpgp_crt_verify_self.restype = _error_code
747
748
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
749
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
750
openpgp_crt_deinit.restype = None
751
752
openpgp_crt_get_fingerprint = (
753
_library.gnutls_openpgp_crt_get_fingerprint)
754
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
755
ctypes.c_void_p,
756
ctypes.POINTER(
757
ctypes.c_size_t)]
758
openpgp_crt_get_fingerprint.restype = _error_code
759
760
# Remove non-public functions
761
del _error_code, _retry_on_error
762
# Create the global "gnutls" object, simulating a module
763
gnutls = GnuTLS()
764
765
766
def call_pipe(connection, # : multiprocessing.Connection
767
func, *args, **kwargs):
768
"""This function is meant to be called by multiprocessing.Process
769
770
This function runs func(*args, **kwargs), and writes the resulting
771
return value on the provided multiprocessing.Connection.
772
"""
773
connection.send(func(*args, **kwargs))
774
connection.close()
406
775
407
776
408
777
class Client(object):
409
778
"""A representation of a client host served by this server.
410
779
411
780
Attributes:
412
781
approved: bool(); 'None' if not yet approved/disapproved
413
782
approval_delay: datetime.timedelta(); Time to wait for approval
415
784
checker: subprocess.Popen(); a running checker process used
416
785
to see if the client lives.
417
786
'None' if no process is running.
418
checker_callback_tag: a gobject event source tag, or None
787
checker_callback_tag: a GLib event source tag, or None
419
788
checker_command: string; External command which is run to check
420
789
if client lives. %() expansions are done at
421
790
runtime with vars(self) as dict, so that for
422
791
instance %(name)s can be used in the command.
423
checker_initiator_tag: a gobject event source tag, or None
792
checker_initiator_tag: a GLib event source tag, or None
424
793
created: datetime.datetime(); (UTC) object creation
425
794
client_structure: Object describing what attributes a client has
426
795
and is used for storing the client at exit
427
796
current_checker_command: string; current running checker_command
428
disable_initiator_tag: a gobject event source tag, or None
797
disable_initiator_tag: a GLib event source tag, or None
429
798
enabled: bool()
430
799
fingerprint: string (40 or 32 hexadecimal digits); used to
431
800
uniquely identify the client
436
805
last_checker_status: integer between 0 and 255 reflecting exit
437
806
status of last checker. -1 reflects crashed
438
807
checker, -2 means no checker completed yet.
808
last_checker_signal: The signal which killed the last checker, if
809
last_checker_status is -1
439
810
last_enabled: datetime.datetime(); (UTC) or None
440
811
name: string; from the config file, used in log messages and
441
812
D-Bus identifiers
448
819
disabled, or None
449
820
server_settings: The server_settings dict from main()
450
821
"""
451
822
452
823
runtime_expansions = ("approval_delay", "approval_duration",
453
824
"created", "enabled", "expires",
454
825
"fingerprint", "host", "interval",
455
826
"last_approval_request", "last_checked_ok",
456
827
"last_enabled", "name", "timeout")
457
client_defaults = { "timeout": "PT5M",
458
"extended_timeout": "PT15M",
459
"interval": "PT2M",
460
"checker": "fping -q -- %%(host)s",
461
"host": "",
462
"approval_delay": "PT0S",
463
"approval_duration": "PT1S",
464
"approved_by_default": "True",
465
"enabled": "True",
466
}
467
468
def timeout_milliseconds(self):
469
"Return the 'timeout' attribute in milliseconds"
470
return timedelta_to_milliseconds(self.timeout)
471
472
def extended_timeout_milliseconds(self):
473
"Return the 'extended_timeout' attribute in milliseconds"
474
return timedelta_to_milliseconds(self.extended_timeout)
475
476
def interval_milliseconds(self):
477
"Return the 'interval' attribute in milliseconds"
478
return timedelta_to_milliseconds(self.interval)
479
480
def approval_delay_milliseconds(self):
481
return timedelta_to_milliseconds(self.approval_delay)
482
828
client_defaults = {
829
"timeout": "PT5M",
830
"extended_timeout": "PT15M",
831
"interval": "PT2M",
832
"checker": "fping -q -- %%(host)s",
833
"host": "",
834
"approval_delay": "PT0S",
835
"approval_duration": "PT1S",
836
"approved_by_default": "True",
837
"enabled": "True",
838
}
839
483
840
@staticmethod
484
841
def config_parser(config):
485
842
"""Construct a new dict of client settings of this form:
492
849
for client_name in config.sections():
493
850
section = dict(config.items(client_name))
494
851
client = settings[client_name] = {}
495
852
496
853
client["host"] = section["host"]
497
854
# Reformat values from string types to Python types
498
855
client["approved_by_default"] = config.getboolean(
499
856
client_name, "approved_by_default")
500
857
client["enabled"] = config.getboolean(client_name,
501
858
"enabled")
502
859
860
# Uppercase and remove spaces from fingerprint for later
861
# comparison purposes with return value from the
862
# fingerprint() function
503
863
client["fingerprint"] = (section["fingerprint"].upper()
504
864
.replace(" ", ""))
505
865
if "secret" in section:
506
client["secret"] = section["secret"].decode("base64")
866
client["secret"] = codecs.decode(section["secret"]
867
.encode("utf-8"),
868
"base64")
507
869
elif "secfile" in section:
508
870
with open(os.path.expanduser(os.path.expandvars
509
871
(section["secfile"])),
510
872
"rb") as secfile:
511
873
client["secret"] = secfile.read()
512
874
else:
513
raise TypeError("No secret or secfile for section {0}"
875
raise TypeError("No secret or secfile for section {}"
514
876
.format(section))
515
877
client["timeout"] = string_to_delta(section["timeout"])
516
878
client["extended_timeout"] = string_to_delta(
524
886
client["last_approval_request"] = None
525
887
client["last_checked_ok"] = None
526
888
client["last_checker_status"] = -2
527
889
528
890
return settings
529
530
def __init__(self, settings, name = None, server_settings=None):
891
892
def __init__(self, settings, name=None, server_settings=None):
531
893
self.name = name
532
894
if server_settings is None:
533
895
server_settings = {}
534
896
self.server_settings = server_settings
535
897
# adding all client settings
536
for setting, value in settings.iteritems():
898
for setting, value in settings.items():
537
899
setattr(self, setting, value)
538
900
539
901
if self.enabled:
540
902
if not hasattr(self, "last_enabled"):
541
903
self.last_enabled = datetime.datetime.utcnow()
545
907
else:
546
908
self.last_enabled = None
547
909
self.expires = None
548
910
549
911
logger.debug("Creating client %r", self.name)
550
# Uppercase and remove spaces from fingerprint for later
551
# comparison purposes with return value from the fingerprint()
552
# function
553
912
logger.debug(" Fingerprint: %s", self.fingerprint)
554
913
self.created = settings.get("created",
555
914
datetime.datetime.utcnow())
556
915
557
916
# attributes specific for this server instance
558
917
self.checker = None
559
918
self.checker_initiator_tag = None
562
921
self.current_checker_command = None
563
922
self.approved = None
564
923
self.approvals_pending = 0
565
self.changedstate = (multiprocessing_manager
566
.Condition(multiprocessing_manager
567
.Lock()))
568
self.client_structure = [attr for attr in
569
self.__dict__.iterkeys()
924
self.changedstate = multiprocessing_manager.Condition(
925
multiprocessing_manager.Lock())
926
self.client_structure = [attr
927
for attr in self.__dict__.keys()
570
928
if not attr.startswith("_")]
571
929
self.client_structure.append("client_structure")
572
573
for name, t in inspect.getmembers(type(self),
574
lambda obj:
575
isinstance(obj,
576
property)):
930
931
for name, t in inspect.getmembers(
932
type(self), lambda obj: isinstance(obj, property)):
577
933
if not name.startswith("_"):
578
934
self.client_structure.append(name)
579
935
580
936
# Send notice to process children that client state has changed
581
937
def send_changedstate(self):
582
938
with self.changedstate:
583
939
self.changedstate.notify_all()
584
940
585
941
def enable(self):
586
942
"""Start this client's checker and timeout hooks"""
587
943
if getattr(self, "enabled", False):
592
948
self.last_enabled = datetime.datetime.utcnow()
593
949
self.init_checker()
594
950
self.send_changedstate()
595
951
596
952
def disable(self, quiet=True):
597
953
"""Disable this client."""
598
954
if not getattr(self, "enabled", False):
600
956
if not quiet:
601
957
logger.info("Disabling client %s", self.name)
602
958
if getattr(self, "disable_initiator_tag", None) is not None:
603
gobject.source_remove(self.disable_initiator_tag)
959
GLib.source_remove(self.disable_initiator_tag)
604
960
self.disable_initiator_tag = None
605
961
self.expires = None
606
962
if getattr(self, "checker_initiator_tag", None) is not None:
607
gobject.source_remove(self.checker_initiator_tag)
963
GLib.source_remove(self.checker_initiator_tag)
608
964
self.checker_initiator_tag = None
609
965
self.stop_checker()
610
966
self.enabled = False
611
967
if not quiet:
612
968
self.send_changedstate()
613
# Do not run this again if called by a gobject.timeout_add
969
# Do not run this again if called by a GLib.timeout_add
614
970
return False
615
971
616
972
def __del__(self):
617
973
self.disable()
618
974
619
975
def init_checker(self):
620
976
# Schedule a new checker to be started an 'interval' from now,
621
977
# and every interval from then on.
622
978
if self.checker_initiator_tag is not None:
623
gobject.source_remove(self.checker_initiator_tag)
624
self.checker_initiator_tag = (gobject.timeout_add
625
(self.interval_milliseconds(),
626
self.start_checker))
979
GLib.source_remove(self.checker_initiator_tag)
980
self.checker_initiator_tag = GLib.timeout_add(
981
int(self.interval.total_seconds() * 1000),
982
self.start_checker)
627
983
# Schedule a disable() when 'timeout' has passed
628
984
if self.disable_initiator_tag is not None:
629
gobject.source_remove(self.disable_initiator_tag)
630
self.disable_initiator_tag = (gobject.timeout_add
631
(self.timeout_milliseconds(),
632
self.disable))
985
GLib.source_remove(self.disable_initiator_tag)
986
self.disable_initiator_tag = GLib.timeout_add(
987
int(self.timeout.total_seconds() * 1000), self.disable)
633
988
# Also start a new checker *right now*.
634
989
self.start_checker()
635
636
def checker_callback(self, pid, condition, command):
990
991
def checker_callback(self, source, condition, connection,
992
command):
637
993
"""The checker has completed, so take appropriate actions."""
638
994
self.checker_callback_tag = None
639
995
self.checker = None
640
if os.WIFEXITED(condition):
641
self.last_checker_status = os.WEXITSTATUS(condition)
996
# Read return code from connection (see call_pipe)
997
returncode = connection.recv()
998
connection.close()
999
1000
if returncode >= 0:
1001
self.last_checker_status = returncode
1002
self.last_checker_signal = None
642
1003
if self.last_checker_status == 0:
643
1004
logger.info("Checker for %(name)s succeeded",
644
1005
vars(self))
645
1006
self.checked_ok()
646
1007
else:
647
logger.info("Checker for %(name)s failed",
648
vars(self))
1008
logger.info("Checker for %(name)s failed", vars(self))
649
1009
else:
650
1010
self.last_checker_status = -1
1011
self.last_checker_signal = -returncode
651
1012
logger.warning("Checker for %(name)s crashed?",
652
1013
vars(self))
653
1014
return False
1015
654
1016
def checked_ok(self):
655
1017
"""Assert that the client has been seen, alive and well."""
656
1018
self.last_checked_ok = datetime.datetime.utcnow()
657
1019
self.last_checker_status = 0
1020
self.last_checker_signal = None
658
1021
self.bump_timeout()
659
1022
660
1023
def bump_timeout(self, timeout=None):
661
1024
"""Bump up the timeout for this client."""
662
1025
if timeout is None:
663
1026
timeout = self.timeout
664
1027
if self.disable_initiator_tag is not None:
665
gobject.source_remove(self.disable_initiator_tag)
1028
GLib.source_remove(self.disable_initiator_tag)
666
1029
self.disable_initiator_tag = None
667
1030
if getattr(self, "enabled", False):
668
self.disable_initiator_tag = (gobject.timeout_add
669
(timedelta_to_milliseconds
670
(timeout), self.disable))
1031
self.disable_initiator_tag = GLib.timeout_add(
1032
int(timeout.total_seconds() * 1000), self.disable)
671
1033
self.expires = datetime.datetime.utcnow() + timeout
672
1034
673
1035
def need_approval(self):
674
1036
self.last_approval_request = datetime.datetime.utcnow()
675
1037
676
1038
def start_checker(self):
677
1039
"""Start a new checker subprocess if one is not running.
678
1040
679
1041
If a checker already exists, leave it running and do
680
1042
nothing."""
681
1043
# The reason for not killing a running checker is that if we
686
1048
# checkers alone, the checker would have to take more time
687
1049
# than 'timeout' for the client to be disabled, which is as it
688
1050
# should be.
689
690
# If a checker exists, make sure it is not a zombie
691
try:
692
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
693
except AttributeError:
694
pass
695
except OSError as error:
696
if error.errno != errno.ECHILD:
697
raise
698
else:
699
if pid:
700
logger.warning("Checker was a zombie")
701
gobject.source_remove(self.checker_callback_tag)
702
self.checker_callback(pid, status,
703
self.current_checker_command)
1051
1052
if self.checker is not None and not self.checker.is_alive():
1053
logger.warning("Checker was not alive; joining")
1054
self.checker.join()
1055
self.checker = None
704
1056
# Start a new checker if needed
705
1057
if self.checker is None:
706
1058
# Escape attributes for the shell
707
escaped_attrs = dict(
708
(attr, re.escape(unicode(getattr(self, attr))))
709
for attr in
710
self.runtime_expansions)
1059
escaped_attrs = {
1060
attr: re.escape(str(getattr(self, attr)))
1061
for attr in self.runtime_expansions}
711
1062
try:
712
1063
command = self.checker_command % escaped_attrs
713
1064
except TypeError as error:
714
1065
logger.error('Could not format string "%s"',
715
self.checker_command, exc_info=error)
716
return True # Try again later
1066
self.checker_command,
1067
exc_info=error)
1068
return True # Try again later
717
1069
self.current_checker_command = command
718
try:
719
logger.info("Starting checker %r for %s",
720
command, self.name)
721
# We don't need to redirect stdout and stderr, since
722
# in normal mode, that is already done by daemon(),
723
# and in debug mode we don't want to. (Stdin is
724
# always replaced by /dev/null.)
725
# The exception is when not debugging but nevertheless
726
# running in the foreground; use the previously
727
# created wnull.
728
popen_args = {}
729
if (not self.server_settings["debug"]
730
and self.server_settings["foreground"]):
731
popen_args.update({"stdout": wnull,
732
"stderr": wnull })
733
self.checker = subprocess.Popen(command,
734
close_fds=True,
735
shell=True, cwd="/",
736
**popen_args)
737
except OSError as error:
738
logger.error("Failed to start subprocess",
739
exc_info=error)
740
return True
741
self.checker_callback_tag = (gobject.child_watch_add
742
(self.checker.pid,
743
self.checker_callback,
744
data=command))
745
# The checker may have completed before the gobject
746
# watch was added. Check for this.
747
try:
748
pid, status = os.waitpid(self.checker.pid, os.WNOHANG)
749
except OSError as error:
750
if error.errno == errno.ECHILD:
751
# This should never happen
752
logger.error("Child process vanished",
753
exc_info=error)
754
return True
755
raise
756
if pid:
757
gobject.source_remove(self.checker_callback_tag)
758
self.checker_callback(pid, status, command)
759
# Re-run this periodically if run by gobject.timeout_add
1070
logger.info("Starting checker %r for %s", command,
1071
self.name)
1072
# We don't need to redirect stdout and stderr, since
1073
# in normal mode, that is already done by daemon(),
1074
# and in debug mode we don't want to. (Stdin is
1075
# always replaced by /dev/null.)
1076
# The exception is when not debugging but nevertheless
1077
# running in the foreground; use the previously
1078
# created wnull.
1079
popen_args = {"close_fds": True,
1080
"shell": True,
1081
"cwd": "/"}
1082
if (not self.server_settings["debug"]
1083
and self.server_settings["foreground"]):
1084
popen_args.update({"stdout": wnull,
1085
"stderr": wnull})
1086
pipe = multiprocessing.Pipe(duplex=False)
1087
self.checker = multiprocessing.Process(
1088
target=call_pipe,
1089
args=(pipe[1], subprocess.call, command),
1090
kwargs=popen_args)
1091
self.checker.start()
1092
self.checker_callback_tag = GLib.io_add_watch(
1093
pipe[0].fileno(), GLib.IO_IN,
1094
self.checker_callback, pipe[0], command)
1095
# Re-run this periodically if run by GLib.timeout_add
760
1096
return True
761
1097
762
1098
def stop_checker(self):
763
1099
"""Force the checker process, if any, to stop."""
764
1100
if self.checker_callback_tag:
765
gobject.source_remove(self.checker_callback_tag)
1101
GLib.source_remove(self.checker_callback_tag)
766
1102
self.checker_callback_tag = None
767
1103
if getattr(self, "checker", None) is None:
768
1104
return
769
1105
logger.debug("Stopping checker for %(name)s", vars(self))
770
try:
771
self.checker.terminate()
772
#time.sleep(0.5)
773
#if self.checker.poll() is None:
774
# self.checker.kill()
775
except OSError as error:
776
if error.errno != errno.ESRCH: # No such process
777
raise
1106
self.checker.terminate()
778
1107
self.checker = None
779
1108
780
1109
781
def dbus_service_property(dbus_interface, signature="v",
782
access="readwrite", byte_arrays=False):
1110
def dbus_service_property(dbus_interface,
1111
signature="v",
1112
access="readwrite",
1113
byte_arrays=False):
783
1114
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1115
become properties on the D-Bus.
785
1116
786
1117
The decorated method will be called with no arguments by "Get"
787
1118
and with one argument by "Set".
788
1119
789
1120
The parameters, where they are supported, are the same as
790
1121
dbus.service.method, except there is only "signature", since the
791
1122
type from Get() and the type sent to Set() is the same.
794
1125
# "Set" method, so we fail early here:
795
1126
if byte_arrays and signature != "ay":
796
1127
raise ValueError("Byte arrays not supported for non-'ay'"
797
" signature {0!r}".format(signature))
1128
" signature {!r}".format(signature))
1129
798
1130
def decorator(func):
799
1131
func._dbus_is_property = True
800
1132
func._dbus_interface = dbus_interface
803
1135
func._dbus_name = func.__name__
804
1136
if func._dbus_name.endswith("_dbus_property"):
805
1137
func._dbus_name = func._dbus_name[:-14]
806
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1138
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
1139
return func
1140
808
1141
return decorator
809
1142
810
1143
811
1144
def dbus_interface_annotations(dbus_interface):
812
1145
"""Decorator for marking functions returning interface annotations
813
1146
814
1147
Usage:
815
1148
816
1149
@dbus_interface_annotations("org.example.Interface")
817
1150
def _foo(self): # Function name does not matter
818
1151
return {"org.freedesktop.DBus.Deprecated": "true",
819
1152
"org.freedesktop.DBus.Property.EmitsChangedSignal":
820
1153
"false"}
821
1154
"""
1155
822
1156
def decorator(func):
823
1157
func._dbus_is_interface = True
824
1158
func._dbus_interface = dbus_interface
825
1159
func._dbus_name = dbus_interface
826
1160
return func
1161
827
1162
return decorator
828
1163
829
1164
830
1165
def dbus_annotations(annotations):
831
1166
"""Decorator to annotate D-Bus methods, signals or properties
832
1167
Usage:
833
1168
1169
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
1170
"org.freedesktop.DBus.Property."
1171
"EmitsChangedSignal": "false"})
834
1172
@dbus_service_property("org.example.Interface", signature="b",
835
1173
access="r")
836
@dbus_annotations({{"org.freedesktop.DBus.Deprecated": "true",
837
"org.freedesktop.DBus.Property."
838
"EmitsChangedSignal": "false"})
839
1174
def Property_dbus_property(self):
840
1175
return dbus.Boolean(False)
1176
1177
See also the DBusObjectWithAnnotations class.
841
1178
"""
1179
842
1180
def decorator(func):
843
1181
func._dbus_annotations = annotations
844
1182
return func
1183
845
1184
return decorator
846
1185
847
1186
848
1187
class DBusPropertyException(dbus.exceptions.DBusException):
849
1188
"""A base class for D-Bus property-related exceptions
850
1189
"""
851
def __unicode__(self):
852
return unicode(str(self))
1190
pass
853
1191
854
1192
855
1193
class DBusPropertyAccessException(DBusPropertyException):
864
1202
pass
865
1203
866
1204
867
class DBusObjectWithProperties(dbus.service.Object):
868
"""A D-Bus object with properties.
869
870
Classes inheriting from this can use the dbus_service_property
871
decorator to expose methods as D-Bus properties. It exposes the
872
standard Get(), Set(), and GetAll() methods on the D-Bus.
1205
class DBusObjectWithAnnotations(dbus.service.Object):
1206
"""A D-Bus object with annotations.
1207
1208
Classes inheriting from this can use the dbus_annotations
1209
decorator to add annotations to methods or signals.
873
1210
"""
874
1211
875
1212
@staticmethod
876
1213
def _is_dbus_thing(thing):
877
1214
"""Returns a function testing if an attribute is a D-Bus thing
878
1215
879
1216
If called like _is_dbus_thing("method") it returns a function
880
1217
suitable for use as predicate to inspect.getmembers().
881
1218
"""
882
return lambda obj: getattr(obj, "_dbus_is_{0}".format(thing),
1219
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
883
1220
False)
884
1221
885
1222
def _get_all_dbus_things(self, thing):
886
1223
"""Returns a generator of (name, attribute) pairs
887
1224
"""
888
return ((getattr(athing.__get__(self), "_dbus_name",
889
name),
1225
return ((getattr(athing.__get__(self), "_dbus_name", name),
890
1226
athing.__get__(self))
891
1227
for cls in self.__class__.__mro__
892
1228
for name, athing in
893
inspect.getmembers(cls,
894
self._is_dbus_thing(thing)))
895
1229
inspect.getmembers(cls, self._is_dbus_thing(thing)))
1230
1231
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1232
out_signature="s",
1233
path_keyword='object_path',
1234
connection_keyword='connection')
1235
def Introspect(self, object_path, connection):
1236
"""Overloading of standard D-Bus method.
1237
1238
Inserts annotation tags on methods and signals.
1239
"""
1240
xmlstring = dbus.service.Object.Introspect(self, object_path,
1241
connection)
1242
try:
1243
document = xml.dom.minidom.parseString(xmlstring)
1244
1245
for if_tag in document.getElementsByTagName("interface"):
1246
# Add annotation tags
1247
for typ in ("method", "signal"):
1248
for tag in if_tag.getElementsByTagName(typ):
1249
annots = dict()
1250
for name, prop in (self.
1251
_get_all_dbus_things(typ)):
1252
if (name == tag.getAttribute("name")
1253
and prop._dbus_interface
1254
== if_tag.getAttribute("name")):
1255
annots.update(getattr(
1256
prop, "_dbus_annotations", {}))
1257
for name, value in annots.items():
1258
ann_tag = document.createElement(
1259
"annotation")
1260
ann_tag.setAttribute("name", name)
1261
ann_tag.setAttribute("value", value)
1262
tag.appendChild(ann_tag)
1263
# Add interface annotation tags
1264
for annotation, value in dict(
1265
itertools.chain.from_iterable(
1266
annotations().items()
1267
for name, annotations
1268
in self._get_all_dbus_things("interface")
1269
if name == if_tag.getAttribute("name")
1270
)).items():
1271
ann_tag = document.createElement("annotation")
1272
ann_tag.setAttribute("name", annotation)
1273
ann_tag.setAttribute("value", value)
1274
if_tag.appendChild(ann_tag)
1275
# Fix argument name for the Introspect method itself
1276
if (if_tag.getAttribute("name")
1277
== dbus.INTROSPECTABLE_IFACE):
1278
for cn in if_tag.getElementsByTagName("method"):
1279
if cn.getAttribute("name") == "Introspect":
1280
for arg in cn.getElementsByTagName("arg"):
1281
if (arg.getAttribute("direction")
1282
== "out"):
1283
arg.setAttribute("name",
1284
"xml_data")
1285
xmlstring = document.toxml("utf-8")
1286
document.unlink()
1287
except (AttributeError, xml.dom.DOMException,
1288
xml.parsers.expat.ExpatError) as error:
1289
logger.error("Failed to override Introspection method",
1290
exc_info=error)
1291
return xmlstring
1292
1293
1294
class DBusObjectWithProperties(DBusObjectWithAnnotations):
1295
"""A D-Bus object with properties.
1296
1297
Classes inheriting from this can use the dbus_service_property
1298
decorator to expose methods as D-Bus properties. It exposes the
1299
standard Get(), Set(), and GetAll() methods on the D-Bus.
1300
"""
1301
896
1302
def _get_dbus_property(self, interface_name, property_name):
897
1303
"""Returns a bound method if one exists which is a D-Bus
898
1304
property with the specified name and interface.
899
1305
"""
900
for cls in self.__class__.__mro__:
901
for name, value in (inspect.getmembers
902
(cls,
903
self._is_dbus_thing("property"))):
1306
for cls in self.__class__.__mro__:
1307
for name, value in inspect.getmembers(
1308
cls, self._is_dbus_thing("property")):
904
1309
if (value._dbus_name == property_name
905
1310
and value._dbus_interface == interface_name):
906
1311
return value.__get__(self)
907
1312
908
1313
# No such property
909
raise DBusPropertyNotFound(self.dbus_object_path + ":"
910
+ interface_name + "."
911
+ property_name)
912
913
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ss",
1314
raise DBusPropertyNotFound("{}:{}.{}".format(
1315
self.dbus_object_path, interface_name, property_name))
1316
1317
@classmethod
1318
def _get_all_interface_names(cls):
1319
"""Get a sequence of all interfaces supported by an object"""
1320
return (name for name in set(getattr(getattr(x, attr),
1321
"_dbus_interface", None)
1322
for x in (inspect.getmro(cls))
1323
for attr in dir(x))
1324
if name is not None)
1325
1326
@dbus.service.method(dbus.PROPERTIES_IFACE,
1327
in_signature="ss",
914
1328
out_signature="v")
915
1329
def Get(self, interface_name, property_name):
916
1330
"""Standard D-Bus property Get() method, see D-Bus standard.
922
1336
if not hasattr(value, "variant_level"):
923
1337
return value
924
1338
return type(value)(value, variant_level=value.variant_level+1)
925
1339
926
1340
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
927
1341
def Set(self, interface_name, property_name, value):
928
1342
"""Standard D-Bus property Set() method, see D-Bus standard.
934
1348
# The byte_arrays option is not supported yet on
935
1349
# signatures other than "ay".
936
1350
if prop._dbus_signature != "ay":
937
raise ValueError
1351
raise ValueError("Byte arrays not supported for non-"
1352
"'ay' signature {!r}"
1353
.format(prop._dbus_signature))
938
1354
value = dbus.ByteArray(b''.join(chr(byte)
939
1355
for byte in value))
940
1356
prop(value)
941
942
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="s",
1357
1358
@dbus.service.method(dbus.PROPERTIES_IFACE,
1359
in_signature="s",
943
1360
out_signature="a{sv}")
944
1361
def GetAll(self, interface_name):
945
1362
"""Standard D-Bus property GetAll() method, see D-Bus
946
1363
standard.
947
1364
948
1365
Note: Will not include properties with access="write".
949
1366
"""
950
1367
properties = {}
960
1377
if not hasattr(value, "variant_level"):
961
1378
properties[name] = value
962
1379
continue
963
properties[name] = type(value)(value, variant_level=
964
value.variant_level+1)
1380
properties[name] = type(value)(
1381
value, variant_level=value.variant_level + 1)
965
1382
return dbus.Dictionary(properties, signature="sv")
966
1383
1384
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1385
def PropertiesChanged(self, interface_name, changed_properties,
1386
invalidated_properties):
1387
"""Standard D-Bus PropertiesChanged() signal, see D-Bus
1388
standard.
1389
"""
1390
pass
1391
967
1392
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
968
1393
out_signature="s",
969
1394
path_keyword='object_path',
970
1395
connection_keyword='connection')
971
1396
def Introspect(self, object_path, connection):
972
1397
"""Overloading of standard D-Bus method.
973
1398
974
1399
Inserts property tags and interface annotation tags.
975
1400
"""
976
xmlstring = dbus.service.Object.Introspect(self, object_path,
977
connection)
1401
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1402
object_path,
1403
connection)
978
1404
try:
979
1405
document = xml.dom.minidom.parseString(xmlstring)
1406
980
1407
def make_tag(document, name, prop):
981
1408
e = document.createElement("property")
982
1409
e.setAttribute("name", name)
983
1410
e.setAttribute("type", prop._dbus_signature)
984
1411
e.setAttribute("access", prop._dbus_access)
985
1412
return e
1413
986
1414
for if_tag in document.getElementsByTagName("interface"):
987
1415
# Add property tags
988
1416
for tag in (make_tag(document, name, prop)
991
1419
if prop._dbus_interface
992
1420
== if_tag.getAttribute("name")):
993
1421
if_tag.appendChild(tag)
994
# Add annotation tags
995
for typ in ("method", "signal", "property"):
996
for tag in if_tag.getElementsByTagName(typ):
997
annots = dict()
998
for name, prop in (self.
999
_get_all_dbus_things(typ)):
1000
if (name == tag.getAttribute("name")
1001
and prop._dbus_interface
1002
== if_tag.getAttribute("name")):
1003
annots.update(getattr
1004
(prop,
1005
"_dbus_annotations",
1006
{}))
1007
for name, value in annots.iteritems():
1008
ann_tag = document.createElement(
1009
"annotation")
1010
ann_tag.setAttribute("name", name)
1011
ann_tag.setAttribute("value", value)
1012
tag.appendChild(ann_tag)
1013
# Add interface annotation tags
1014
for annotation, value in dict(
1015
itertools.chain.from_iterable(
1016
annotations().iteritems()
1017
for name, annotations in
1018
self._get_all_dbus_things("interface")
1019
if name == if_tag.getAttribute("name")
1020
)).iteritems():
1021
ann_tag = document.createElement("annotation")
1022
ann_tag.setAttribute("name", annotation)
1023
ann_tag.setAttribute("value", value)
1024
if_tag.appendChild(ann_tag)
1422
# Add annotation tags for properties
1423
for tag in if_tag.getElementsByTagName("property"):
1424
annots = dict()
1425
for name, prop in self._get_all_dbus_things(
1426
"property"):
1427
if (name == tag.getAttribute("name")
1428
and prop._dbus_interface
1429
== if_tag.getAttribute("name")):
1430
annots.update(getattr(
1431
prop, "_dbus_annotations", {}))
1432
for name, value in annots.items():
1433
ann_tag = document.createElement(
1434
"annotation")
1435
ann_tag.setAttribute("name", name)
1436
ann_tag.setAttribute("value", value)
1437
tag.appendChild(ann_tag)
1025
1438
# Add the names to the return values for the
1026
1439
# "org.freedesktop.DBus.Properties" methods
1027
1440
if (if_tag.getAttribute("name")
1045
1458
exc_info=error)
1046
1459
return xmlstring
1047
1460
1461
try:
1462
dbus.OBJECT_MANAGER_IFACE
1463
except AttributeError:
1464
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1465
1466
1467
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1468
"""A D-Bus object with an ObjectManager.
1469
1470
Classes inheriting from this exposes the standard
1471
GetManagedObjects call and the InterfacesAdded and
1472
InterfacesRemoved signals on the standard
1473
"org.freedesktop.DBus.ObjectManager" interface.
1474
1475
Note: No signals are sent automatically; they must be sent
1476
manually.
1477
"""
1478
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1479
out_signature="a{oa{sa{sv}}}")
1480
def GetManagedObjects(self):
1481
"""This function must be overridden"""
1482
raise NotImplementedError()
1483
1484
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1485
signature="oa{sa{sv}}")
1486
def InterfacesAdded(self, object_path, interfaces_and_properties):
1487
pass
1488
1489
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1490
def InterfacesRemoved(self, object_path, interfaces):
1491
pass
1492
1493
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1494
out_signature="s",
1495
path_keyword='object_path',
1496
connection_keyword='connection')
1497
def Introspect(self, object_path, connection):
1498
"""Overloading of standard D-Bus method.
1499
1500
Override return argument name of GetManagedObjects to be
1501
"objpath_interfaces_and_properties"
1502
"""
1503
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1504
object_path,
1505
connection)
1506
try:
1507
document = xml.dom.minidom.parseString(xmlstring)
1508
1509
for if_tag in document.getElementsByTagName("interface"):
1510
# Fix argument name for the GetManagedObjects method
1511
if (if_tag.getAttribute("name")
1512
== dbus.OBJECT_MANAGER_IFACE):
1513
for cn in if_tag.getElementsByTagName("method"):
1514
if (cn.getAttribute("name")
1515
== "GetManagedObjects"):
1516
for arg in cn.getElementsByTagName("arg"):
1517
if (arg.getAttribute("direction")
1518
== "out"):
1519
arg.setAttribute(
1520
"name",
1521
"objpath_interfaces"
1522
"_and_properties")
1523
xmlstring = document.toxml("utf-8")
1524
document.unlink()
1525
except (AttributeError, xml.dom.DOMException,
1526
xml.parsers.expat.ExpatError) as error:
1527
logger.error("Failed to override Introspection method",
1528
exc_info=error)
1529
return xmlstring
1530
1048
1531
1049
1532
def datetime_to_dbus(dt, variant_level=0):
1050
1533
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1051
1534
if dt is None:
1052
return dbus.String("", variant_level = variant_level)
1053
return dbus.String(dt.isoformat(),
1054
variant_level=variant_level)
1535
return dbus.String("", variant_level=variant_level)
1536
return dbus.String(dt.isoformat(), variant_level=variant_level)
1055
1537
1056
1538
1057
1539
def alternate_dbus_interfaces(alt_interface_names, deprecate=True):
1059
1541
dbus.service.Object, it will add alternate D-Bus attributes with
1060
1542
interface names according to the "alt_interface_names" mapping.
1061
1543
Usage:
1062
1544
1063
1545
@alternate_dbus_interfaces({"org.example.Interface":
1064
1546
"net.example.AlternateInterface"})
1065
1547
class SampleDBusObject(dbus.service.Object):
1066
1548
@dbus.service.method("org.example.Interface")
1067
1549
def SampleDBusMethod():
1068
1550
pass
1069
1551
1070
1552
The above "SampleDBusMethod" on "SampleDBusObject" will be
1071
1553
reachable via two interfaces: "org.example.Interface" and
1072
1554
"net.example.AlternateInterface", the latter of which will have
1073
1555
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1074
1556
"true", unless "deprecate" is passed with a False value.
1075
1557
1076
1558
This works for methods and signals, and also for D-Bus properties
1077
1559
(from DBusObjectWithProperties) and interfaces (from the
1078
1560
dbus_interface_annotations decorator).
1079
1561
"""
1562
1080
1563
def wrapper(cls):
1081
1564
for orig_interface_name, alt_interface_name in (
1082
alt_interface_names.iteritems()):
1565
alt_interface_names.items()):
1083
1566
attr = {}
1084
1567
interface_names = set()
1085
1568
# Go though all attributes of the class
1087
1570
# Ignore non-D-Bus attributes, and D-Bus attributes
1088
1571
# with the wrong interface name
1089
1572
if (not hasattr(attribute, "_dbus_interface")
1090
or not attribute._dbus_interface
1091
.startswith(orig_interface_name)):
1573
or not attribute._dbus_interface.startswith(
1574
orig_interface_name)):
1092
1575
continue
1093
1576
# Create an alternate D-Bus interface name based on
1094
1577
# the current name
1095
alt_interface = (attribute._dbus_interface
1096
.replace(orig_interface_name,
1097
alt_interface_name))
1578
alt_interface = attribute._dbus_interface.replace(
1579
orig_interface_name, alt_interface_name)
1098
1580
interface_names.add(alt_interface)
1099
1581
# Is this a D-Bus signal?
1100
1582
if getattr(attribute, "_dbus_is_signal", False):
1101
1583
# Extract the original non-method undecorated
1102
1584
# function by black magic
1103
nonmethod_func = (dict(
1585
if sys.version_info.major == 2:
1586
nonmethod_func = (dict(
1104
1587
zip(attribute.func_code.co_freevars,
1105
attribute.__closure__))["func"]
1106
.cell_contents)
1588
attribute.__closure__))
1589
["func"].cell_contents)
1590
else:
1591
nonmethod_func = (dict(
1592
zip(attribute.__code__.co_freevars,
1593
attribute.__closure__))
1594
["func"].cell_contents)
1107
1595
# Create a new, but exactly alike, function
1108
1596
# object, and decorate it to be a new D-Bus signal
1109
1597
# with the alternate D-Bus interface name
1110
new_function = (dbus.service.signal
1111
(alt_interface,
1112
attribute._dbus_signature)
1113
(types.FunctionType(
1114
nonmethod_func.func_code,
1115
nonmethod_func.func_globals,
1116
nonmethod_func.func_name,
1117
nonmethod_func.func_defaults,
1118
nonmethod_func.func_closure)))
1598
new_function = copy_function(nonmethod_func)
1599
new_function = (dbus.service.signal(
1600
alt_interface,
1601
attribute._dbus_signature)(new_function))
1119
1602
# Copy annotations, if any
1120
1603
try:
1121
new_function._dbus_annotations = (
1122
dict(attribute._dbus_annotations))
1604
new_function._dbus_annotations = dict(
1605
attribute._dbus_annotations)
1123
1606
except AttributeError:
1124
1607
pass
1608
1125
1609
# Define a creator of a function to call both the
1126
1610
# original and alternate functions, so both the
1127
1611
# original and alternate signals gets sent when
1130
1614
"""This function is a scope container to pass
1131
1615
func1 and func2 to the "call_both" function
1132
1616
outside of its arguments"""
1617
1618
@functools.wraps(func2)
1133
1619
def call_both(*args, **kwargs):
1134
1620
"""This function will emit two D-Bus
1135
1621
signals by calling func1 and func2"""
1136
1622
func1(*args, **kwargs)
1137
1623
func2(*args, **kwargs)
1624
# Make wrapper function look like a D-Bus
1625
# signal
1626
for name, attr in inspect.getmembers(func2):
1627
if name.startswith("_dbus_"):
1628
setattr(call_both, name, attr)
1629
1138
1630
return call_both
1139
1631
# Create the "call_both" function and add it to
1140
1632
# the class
1145
1637
# object. Decorate it to be a new D-Bus method
1146
1638
# with the alternate D-Bus interface name. Add it
1147
1639
# to the class.
1148
attr[attrname] = (dbus.service.method
1149
(alt_interface,
1150
attribute._dbus_in_signature,
1151
attribute._dbus_out_signature)
1152
(types.FunctionType
1153
(attribute.func_code,
1154
attribute.func_globals,
1155
attribute.func_name,
1156
attribute.func_defaults,
1157
attribute.func_closure)))
1640
attr[attrname] = (
1641
dbus.service.method(
1642
alt_interface,
1643
attribute._dbus_in_signature,
1644
attribute._dbus_out_signature)
1645
(copy_function(attribute)))
1158
1646
# Copy annotations, if any
1159
1647
try:
1160
attr[attrname]._dbus_annotations = (
1161
dict(attribute._dbus_annotations))
1648
attr[attrname]._dbus_annotations = dict(
1649
attribute._dbus_annotations)
1162
1650
except AttributeError:
1163
1651
pass
1164
1652
# Is this a D-Bus property?
1167
1655
# object, and decorate it to be a new D-Bus
1168
1656
# property with the alternate D-Bus interface
1169
1657
# name. Add it to the class.
1170
attr[attrname] = (dbus_service_property
1171
(alt_interface,
1172
attribute._dbus_signature,
1173
attribute._dbus_access,
1174
attribute
1175
._dbus_get_args_options
1176
["byte_arrays"])
1177
(types.FunctionType
1178
(attribute.func_code,
1179
attribute.func_globals,
1180
attribute.func_name,
1181
attribute.func_defaults,
1182
attribute.func_closure)))
1658
attr[attrname] = (dbus_service_property(
1659
alt_interface, attribute._dbus_signature,
1660
attribute._dbus_access,
1661
attribute._dbus_get_args_options
1662
["byte_arrays"])
1663
(copy_function(attribute)))
1183
1664
# Copy annotations, if any
1184
1665
try:
1185
attr[attrname]._dbus_annotations = (
1186
dict(attribute._dbus_annotations))
1666
attr[attrname]._dbus_annotations = dict(
1667
attribute._dbus_annotations)
1187
1668
except AttributeError:
1188
1669
pass
1189
1670
# Is this a D-Bus interface?
1192
1673
# object. Decorate it to be a new D-Bus interface
1193
1674
# with the alternate D-Bus interface name. Add it
1194
1675
# to the class.
1195
attr[attrname] = (dbus_interface_annotations
1196
(alt_interface)
1197
(types.FunctionType
1198
(attribute.func_code,
1199
attribute.func_globals,
1200
attribute.func_name,
1201
attribute.func_defaults,
1202
attribute.func_closure)))
1676
attr[attrname] = (
1677
dbus_interface_annotations(alt_interface)
1678
(copy_function(attribute)))
1203
1679
if deprecate:
1204
1680
# Deprecate all alternate interfaces
1205
iname="_AlternateDBusNames_interface_annotation{0}"
1681
iname = "_AlternateDBusNames_interface_annotation{}"
1206
1682
for interface_name in interface_names:
1683
1207
1684
@dbus_interface_annotations(interface_name)
1208
1685
def func(self):
1209
return { "org.freedesktop.DBus.Deprecated":
1210
"true" }
1686
return {"org.freedesktop.DBus.Deprecated":
1687
"true"}
1211
1688
# Find an unused name
1212
1689
for aname in (iname.format(i)
1213
1690
for i in itertools.count()):
1217
1694
if interface_names:
1218
1695
# Replace the class with a new subclass of it with
1219
1696
# methods, signals, etc. as created above.
1220
cls = type(b"{0}Alternate".format(cls.__name__),
1221
(cls,), attr)
1697
if sys.version_info.major == 2:
1698
cls = type(b"{}Alternate".format(cls.__name__),
1699
(cls, ), attr)
1700
else:
1701
cls = type("{}Alternate".format(cls.__name__),
1702
(cls, ), attr)
1222
1703
return cls
1704
1223
1705
return wrapper
1224
1706
1225
1707
1226
1708
@alternate_dbus_interfaces({"se.recompile.Mandos":
1227
"se.bsnet.fukt.Mandos"})
1709
"se.bsnet.fukt.Mandos"})
1228
1710
class ClientDBus(Client, DBusObjectWithProperties):
1229
1711
"""A Client class using D-Bus
1230
1712
1231
1713
Attributes:
1232
1714
dbus_object_path: dbus.ObjectPath
1233
1715
bus: dbus.SystemBus()
1234
1716
"""
1235
1717
1236
1718
runtime_expansions = (Client.runtime_expansions
1237
+ ("dbus_object_path",))
1238
1719
+ ("dbus_object_path", ))
1720
1721
_interface = "se.recompile.Mandos.Client"
1722
1239
1723
# dbus.service.Object doesn't use super(), so we can't either.
1240
1241
def __init__(self, bus = None, *args, **kwargs):
1724
1725
def __init__(self, bus=None, *args, **kwargs):
1242
1726
self.bus = bus
1243
1727
Client.__init__(self, *args, **kwargs)
1244
1728
# Only now, when this client is initialized, can it show up on
1245
1729
# the D-Bus
1246
client_object_name = unicode(self.name).translate(
1730
client_object_name = str(self.name).translate(
1247
1731
{ord("."): ord("_"),
1248
1732
ord("-"): ord("_")})
1249
self.dbus_object_path = (dbus.ObjectPath
1250
("/clients/" + client_object_name))
1733
self.dbus_object_path = dbus.ObjectPath(
1734
"/clients/" + client_object_name)
1251
1735
DBusObjectWithProperties.__init__(self, self.bus,
1252
1736
self.dbus_object_path)
1253
1254
def notifychangeproperty(transform_func,
1255
dbus_name, type_func=lambda x: x,
1256
variant_level=1):
1737
1738
def notifychangeproperty(transform_func, dbus_name,
1739
type_func=lambda x: x,
1740
variant_level=1,
1741
invalidate_only=False,
1742
_interface=_interface):
1257
1743
""" Modify a variable so that it's a property which announces
1258
1744
its changes to DBus.
1259
1745
1260
1746
transform_fun: Function that takes a value and a variant_level
1261
1747
and transforms it to a D-Bus type.
1262
1748
dbus_name: D-Bus name of the variable
1264
1750
to the D-Bus. Default: no transform
1265
1751
variant_level: D-Bus variant level. Default: 1
1266
1752
"""
1267
attrname = "_{0}".format(dbus_name)
1753
attrname = "_{}".format(dbus_name)
1754
1268
1755
def setter(self, value):
1269
1756
if hasattr(self, "dbus_object_path"):
1270
1757
if (not hasattr(self, attrname) or
1271
1758
type_func(getattr(self, attrname, None))
1272
1759
!= type_func(value)):
1273
dbus_value = transform_func(type_func(value),
1274
variant_level
1275
=variant_level)
1276
self.PropertyChanged(dbus.String(dbus_name),
1277
dbus_value)
1760
if invalidate_only:
1761
self.PropertiesChanged(
1762
_interface, dbus.Dictionary(),
1763
dbus.Array((dbus_name, )))
1764
else:
1765
dbus_value = transform_func(
1766
type_func(value),
1767
variant_level=variant_level)
1768
self.PropertyChanged(dbus.String(dbus_name),
1769
dbus_value)
1770
self.PropertiesChanged(
1771
_interface,
1772
dbus.Dictionary({dbus.String(dbus_name):
1773
dbus_value}),
1774
dbus.Array())
1278
1775
setattr(self, attrname, value)
1279
1776
1280
1777
return property(lambda self: getattr(self, attrname), setter)
1281
1778
1282
1779
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1283
1780
approvals_pending = notifychangeproperty(dbus.Boolean,
1284
1781
"ApprovalPending",
1285
type_func = bool)
1782
type_func=bool)
1286
1783
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1287
1784
last_enabled = notifychangeproperty(datetime_to_dbus,
1288
1785
"LastEnabled")
1289
checker = notifychangeproperty(dbus.Boolean, "CheckerRunning",
1290
type_func = lambda checker:
1291
checker is not None)
1786
checker = notifychangeproperty(
1787
dbus.Boolean, "CheckerRunning",
1788
type_func=lambda checker: checker is not None)
1292
1789
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1293
1790
"LastCheckedOK")
1294
1791
last_checker_status = notifychangeproperty(dbus.Int16,
1297
1794
datetime_to_dbus, "LastApprovalRequest")
1298
1795
approved_by_default = notifychangeproperty(dbus.Boolean,
1299
1796
"ApprovedByDefault")
1300
approval_delay = notifychangeproperty(dbus.UInt64,
1301
"ApprovalDelay",
1302
type_func =
1303
timedelta_to_milliseconds)
1797
approval_delay = notifychangeproperty(
1798
dbus.UInt64, "ApprovalDelay",
1799
type_func=lambda td: td.total_seconds() * 1000)
1304
1800
approval_duration = notifychangeproperty(
1305
1801
dbus.UInt64, "ApprovalDuration",
1306
type_func = timedelta_to_milliseconds)
1802
type_func=lambda td: td.total_seconds() * 1000)
1307
1803
host = notifychangeproperty(dbus.String, "Host")
1308
timeout = notifychangeproperty(dbus.UInt64, "Timeout",
1309
type_func =
1310
timedelta_to_milliseconds)
1804
timeout = notifychangeproperty(
1805
dbus.UInt64, "Timeout",
1806
type_func=lambda td: td.total_seconds() * 1000)
1311
1807
extended_timeout = notifychangeproperty(
1312
1808
dbus.UInt64, "ExtendedTimeout",
1313
type_func = timedelta_to_milliseconds)
1314
interval = notifychangeproperty(dbus.UInt64,
1315
"Interval",
1316
type_func =
1317
timedelta_to_milliseconds)
1809
type_func=lambda td: td.total_seconds() * 1000)
1810
interval = notifychangeproperty(
1811
dbus.UInt64, "Interval",
1812
type_func=lambda td: td.total_seconds() * 1000)
1318
1813
checker_command = notifychangeproperty(dbus.String, "Checker")
1319
1814
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1815
invalidate_only=True)
1816
1320
1817
del notifychangeproperty
1321
1818
1322
1819
def __del__(self, *args, **kwargs):
1323
1820
try:
1324
1821
self.remove_from_connection()
1327
1824
if hasattr(DBusObjectWithProperties, "__del__"):
1328
1825
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1329
1826
Client.__del__(self, *args, **kwargs)
1330
1331
def checker_callback(self, pid, condition, command,
1332
*args, **kwargs):
1333
self.checker_callback_tag = None
1334
self.checker = None
1335
if os.WIFEXITED(condition):
1336
exitstatus = os.WEXITSTATUS(condition)
1827
1828
def checker_callback(self, source, condition,
1829
connection, command, *args, **kwargs):
1830
ret = Client.checker_callback(self, source, condition,
1831
connection, command, *args,
1832
**kwargs)
1833
exitstatus = self.last_checker_status
1834
if exitstatus >= 0:
1337
1835
# Emit D-Bus signal
1338
1836
self.CheckerCompleted(dbus.Int16(exitstatus),
1339
dbus.Int64(condition),
1837
# This is specific to GNU libC
1838
dbus.Int64(exitstatus << 8),
1340
1839
dbus.String(command))
1341
1840
else:
1342
1841
# Emit D-Bus signal
1343
1842
self.CheckerCompleted(dbus.Int16(-1),
1344
dbus.Int64(condition),
1843
dbus.Int64(
1844
# This is specific to GNU libC
1845
(exitstatus << 8)
1846
| self.last_checker_signal),
1345
1847
dbus.String(command))
1346
1347
return Client.checker_callback(self, pid, condition, command,
1348
*args, **kwargs)
1349
1848
return ret
1849
1350
1850
def start_checker(self, *args, **kwargs):
1351
old_checker = self.checker
1352
if self.checker is not None:
1353
old_checker_pid = self.checker.pid
1354
else:
1355
old_checker_pid = None
1851
old_checker_pid = getattr(self.checker, "pid", None)
1356
1852
r = Client.start_checker(self, *args, **kwargs)
1357
1853
# Only if new checker process was started
1358
1854
if (self.checker is not None
1360
1856
# Emit D-Bus signal
1361
1857
self.CheckerStarted(self.current_checker_command)
1362
1858
return r
1363
1859
1364
1860
def _reset_approved(self):
1365
1861
self.approved = None
1366
1862
return False
1367
1863
1368
1864
def approve(self, value=True):
1369
1865
self.approved = value
1370
gobject.timeout_add(timedelta_to_milliseconds
1371
(self.approval_duration),
1372
self._reset_approved)
1866
GLib.timeout_add(int(self.approval_duration.total_seconds()
1867
* 1000), self._reset_approved)
1373
1868
self.send_changedstate()
1374
1375
## D-Bus methods, signals & properties
1376
_interface = "se.recompile.Mandos.Client"
1377
1378
## Interfaces
1379
1380
@dbus_interface_annotations(_interface)
1381
def _foo(self):
1382
return { "org.freedesktop.DBus.Property.EmitsChangedSignal":
1383
"false"}
1384
1385
## Signals
1386
1869
1870
# D-Bus methods, signals & properties
1871
1872
# Interfaces
1873
1874
# Signals
1875
1387
1876
# CheckerCompleted - signal
1388
1877
@dbus.service.signal(_interface, signature="nxs")
1389
1878
def CheckerCompleted(self, exitcode, waitstatus, command):
1390
1879
"D-Bus signal"
1391
1880
pass
1392
1881
1393
1882
# CheckerStarted - signal
1394
1883
@dbus.service.signal(_interface, signature="s")
1395
1884
def CheckerStarted(self, command):
1396
1885
"D-Bus signal"
1397
1886
pass
1398
1887
1399
1888
# PropertyChanged - signal
1889
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1400
1890
@dbus.service.signal(_interface, signature="sv")
1401
1891
def PropertyChanged(self, property, value):
1402
1892
"D-Bus signal"
1403
1893
pass
1404
1894
1405
1895
# GotSecret - signal
1406
1896
@dbus.service.signal(_interface)
1407
1897
def GotSecret(self):
1410
1900
server to mandos-client
1411
1901
"""
1412
1902
pass
1413
1903
1414
1904
# Rejected - signal
1415
1905
@dbus.service.signal(_interface, signature="s")
1416
1906
def Rejected(self, reason):
1417
1907
"D-Bus signal"
1418
1908
pass
1419
1909
1420
1910
# NeedApproval - signal
1421
1911
@dbus.service.signal(_interface, signature="tb")
1422
1912
def NeedApproval(self, timeout, default):
1423
1913
"D-Bus signal"
1424
1914
return self.need_approval()
1425
1426
## Methods
1427
1915
1916
# Methods
1917
1428
1918
# Approve - method
1429
1919
@dbus.service.method(_interface, in_signature="b")
1430
1920
def Approve(self, value):
1431
1921
self.approve(value)
1432
1922
1433
1923
# CheckedOK - method
1434
1924
@dbus.service.method(_interface)
1435
1925
def CheckedOK(self):
1436
1926
self.checked_ok()
1437
1927
1438
1928
# Enable - method
1929
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1439
1930
@dbus.service.method(_interface)
1440
1931
def Enable(self):
1441
1932
"D-Bus method"
1442
1933
self.enable()
1443
1934
1444
1935
# StartChecker - method
1936
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1445
1937
@dbus.service.method(_interface)
1446
1938
def StartChecker(self):
1447
1939
"D-Bus method"
1448
1940
self.start_checker()
1449
1941
1450
1942
# Disable - method
1943
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1451
1944
@dbus.service.method(_interface)
1452
1945
def Disable(self):
1453
1946
"D-Bus method"
1454
1947
self.disable()
1455
1948
1456
1949
# StopChecker - method
1950
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1457
1951
@dbus.service.method(_interface)
1458
1952
def StopChecker(self):
1459
1953
self.stop_checker()
1460
1461
## Properties
1462
1954
1955
# Properties
1956
1463
1957
# ApprovalPending - property
1464
1958
@dbus_service_property(_interface, signature="b", access="read")
1465
1959
def ApprovalPending_dbus_property(self):
1466
1960
return dbus.Boolean(bool(self.approvals_pending))
1467
1961
1468
1962
# ApprovedByDefault - property
1469
@dbus_service_property(_interface, signature="b",
1963
@dbus_service_property(_interface,
1964
signature="b",
1470
1965
access="readwrite")
1471
1966
def ApprovedByDefault_dbus_property(self, value=None):
1472
1967
if value is None: # get
1473
1968
return dbus.Boolean(self.approved_by_default)
1474
1969
self.approved_by_default = bool(value)
1475
1970
1476
1971
# ApprovalDelay - property
1477
@dbus_service_property(_interface, signature="t",
1972
@dbus_service_property(_interface,
1973
signature="t",
1478
1974
access="readwrite")
1479
1975
def ApprovalDelay_dbus_property(self, value=None):
1480
1976
if value is None: # get
1481
return dbus.UInt64(self.approval_delay_milliseconds())
1977
return dbus.UInt64(self.approval_delay.total_seconds()
1978
* 1000)
1482
1979
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1483
1980
1484
1981
# ApprovalDuration - property
1485
@dbus_service_property(_interface, signature="t",
1982
@dbus_service_property(_interface,
1983
signature="t",
1486
1984
access="readwrite")
1487
1985
def ApprovalDuration_dbus_property(self, value=None):
1488
1986
if value is None: # get
1489
return dbus.UInt64(timedelta_to_milliseconds(
1490
self.approval_duration))
1987
return dbus.UInt64(self.approval_duration.total_seconds()
1988
* 1000)
1491
1989
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1492
1990
1493
1991
# Name - property
1992
@dbus_annotations(
1993
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1494
1994
@dbus_service_property(_interface, signature="s", access="read")
1495
1995
def Name_dbus_property(self):
1496
1996
return dbus.String(self.name)
1497
1997
1498
1998
# Fingerprint - property
1999
@dbus_annotations(
2000
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1499
2001
@dbus_service_property(_interface, signature="s", access="read")
1500
2002
def Fingerprint_dbus_property(self):
1501
2003
return dbus.String(self.fingerprint)
1502
2004
1503
2005
# Host - property
1504
@dbus_service_property(_interface, signature="s",
2006
@dbus_service_property(_interface,
2007
signature="s",
1505
2008
access="readwrite")
1506
2009
def Host_dbus_property(self, value=None):
1507
2010
if value is None: # get
1508
2011
return dbus.String(self.host)
1509
self.host = unicode(value)
1510
2012
self.host = str(value)
2013
1511
2014
# Created - property
2015
@dbus_annotations(
2016
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1512
2017
@dbus_service_property(_interface, signature="s", access="read")
1513
2018
def Created_dbus_property(self):
1514
2019
return datetime_to_dbus(self.created)
1515
2020
1516
2021
# LastEnabled - property
1517
2022
@dbus_service_property(_interface, signature="s", access="read")
1518
2023
def LastEnabled_dbus_property(self):
1519
2024
return datetime_to_dbus(self.last_enabled)
1520
2025
1521
2026
# Enabled - property
1522
@dbus_service_property(_interface, signature="b",
2027
@dbus_service_property(_interface,
2028
signature="b",
1523
2029
access="readwrite")
1524
2030
def Enabled_dbus_property(self, value=None):
1525
2031
if value is None: # get
1528
2034
self.enable()
1529
2035
else:
1530
2036
self.disable()
1531
2037
1532
2038
# LastCheckedOK - property
1533
@dbus_service_property(_interface, signature="s",
2039
@dbus_service_property(_interface,
2040
signature="s",
1534
2041
access="readwrite")
1535
2042
def LastCheckedOK_dbus_property(self, value=None):
1536
2043
if value is not None:
1537
2044
self.checked_ok()
1538
2045
return
1539
2046
return datetime_to_dbus(self.last_checked_ok)
1540
2047
1541
2048
# LastCheckerStatus - property
1542
@dbus_service_property(_interface, signature="n",
1543
access="read")
2049
@dbus_service_property(_interface, signature="n", access="read")
1544
2050
def LastCheckerStatus_dbus_property(self):
1545
2051
return dbus.Int16(self.last_checker_status)
1546
2052
1547
2053
# Expires - property
1548
2054
@dbus_service_property(_interface, signature="s", access="read")
1549
2055
def Expires_dbus_property(self):
1550
2056
return datetime_to_dbus(self.expires)
1551
2057
1552
2058
# LastApprovalRequest - property
1553
2059
@dbus_service_property(_interface, signature="s", access="read")
1554
2060
def LastApprovalRequest_dbus_property(self):
1555
2061
return datetime_to_dbus(self.last_approval_request)
1556
2062
1557
2063
# Timeout - property
1558
@dbus_service_property(_interface, signature="t",
2064
@dbus_service_property(_interface,
2065
signature="t",
1559
2066
access="readwrite")
1560
2067
def Timeout_dbus_property(self, value=None):
1561
2068
if value is None: # get
1562
return dbus.UInt64(self.timeout_milliseconds())
2069
return dbus.UInt64(self.timeout.total_seconds() * 1000)
1563
2070
old_timeout = self.timeout
1564
2071
self.timeout = datetime.timedelta(0, 0, 0, value)
1565
2072
# Reschedule disabling
1573
2080
if (getattr(self, "disable_initiator_tag", None)
1574
2081
is None):
1575
2082
return
1576
gobject.source_remove(self.disable_initiator_tag)
1577
self.disable_initiator_tag = (
1578
gobject.timeout_add(
1579
timedelta_to_milliseconds(self.expires - now),
1580
self.disable))
1581
2083
GLib.source_remove(self.disable_initiator_tag)
2084
self.disable_initiator_tag = GLib.timeout_add(
2085
int((self.expires - now).total_seconds() * 1000),
2086
self.disable)
2087
1582
2088
# ExtendedTimeout - property
1583
@dbus_service_property(_interface, signature="t",
2089
@dbus_service_property(_interface,
2090
signature="t",
1584
2091
access="readwrite")
1585
2092
def ExtendedTimeout_dbus_property(self, value=None):
1586
2093
if value is None: # get
1587
return dbus.UInt64(self.extended_timeout_milliseconds())
2094
return dbus.UInt64(self.extended_timeout.total_seconds()
2095
* 1000)
1588
2096
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1589
2097
1590
2098
# Interval - property
1591
@dbus_service_property(_interface, signature="t",
2099
@dbus_service_property(_interface,
2100
signature="t",
1592
2101
access="readwrite")
1593
2102
def Interval_dbus_property(self, value=None):
1594
2103
if value is None: # get
1595
return dbus.UInt64(self.interval_milliseconds())
2104
return dbus.UInt64(self.interval.total_seconds() * 1000)
1596
2105
self.interval = datetime.timedelta(0, 0, 0, value)
1597
2106
if getattr(self, "checker_initiator_tag", None) is None:
1598
2107
return
1599
2108
if self.enabled:
1600
2109
# Reschedule checker run
1601
gobject.source_remove(self.checker_initiator_tag)
1602
self.checker_initiator_tag = (gobject.timeout_add
1603
(value, self.start_checker))
1604
self.start_checker() # Start one now, too
1605
2110
GLib.source_remove(self.checker_initiator_tag)
2111
self.checker_initiator_tag = GLib.timeout_add(
2112
value, self.start_checker)
2113
self.start_checker() # Start one now, too
2114
1606
2115
# Checker - property
1607
@dbus_service_property(_interface, signature="s",
2116
@dbus_service_property(_interface,
2117
signature="s",
1608
2118
access="readwrite")
1609
2119
def Checker_dbus_property(self, value=None):
1610
2120
if value is None: # get
1611
2121
return dbus.String(self.checker_command)
1612
self.checker_command = unicode(value)
1613
2122
self.checker_command = str(value)
2123
1614
2124
# CheckerRunning - property
1615
@dbus_service_property(_interface, signature="b",
2125
@dbus_service_property(_interface,
2126
signature="b",
1616
2127
access="readwrite")
1617
2128
def CheckerRunning_dbus_property(self, value=None):
1618
2129
if value is None: # get
1621
2132
self.start_checker()
1622
2133
else:
1623
2134
self.stop_checker()
1624
2135
1625
2136
# ObjectPath - property
2137
@dbus_annotations(
2138
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
2139
"org.freedesktop.DBus.Deprecated": "true"})
1626
2140
@dbus_service_property(_interface, signature="o", access="read")
1627
2141
def ObjectPath_dbus_property(self):
1628
return self.dbus_object_path # is already a dbus.ObjectPath
1629
2142
return self.dbus_object_path # is already a dbus.ObjectPath
2143
1630
2144
# Secret = property
1631
@dbus_service_property(_interface, signature="ay",
1632
access="write", byte_arrays=True)
2145
@dbus_annotations(
2146
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
2147
"invalidates"})
2148
@dbus_service_property(_interface,
2149
signature="ay",
2150
access="write",
2151
byte_arrays=True)
1633
2152
def Secret_dbus_property(self, value):
1634
self.secret = str(value)
1635
2153
self.secret = bytes(value)
2154
1636
2155
del _interface
1637
2156
1638
2157
1641
2160
self._pipe = child_pipe
1642
2161
self._pipe.send(('init', fpr, address))
1643
2162
if not self._pipe.recv():
1644
raise KeyError()
1645
2163
raise KeyError(fpr)
2164
1646
2165
def __getattribute__(self, name):
1647
2166
if name == '_pipe':
1648
2167
return super(ProxyClient, self).__getattribute__(name)
1651
2170
if data[0] == 'data':
1652
2171
return data[1]
1653
2172
if data[0] == 'function':
2173
1654
2174
def func(*args, **kwargs):
1655
2175
self._pipe.send(('funcall', name, args, kwargs))
1656
2176
return self._pipe.recv()[1]
2177
1657
2178
return func
1658
2179
1659
2180
def __setattr__(self, name, value):
1660
2181
if name == '_pipe':
1661
2182
return super(ProxyClient, self).__setattr__(name, value)
1664
2185
1665
2186
class ClientHandler(socketserver.BaseRequestHandler, object):
1666
2187
"""A class to handle client connections.
1667
2188
1668
2189
Instantiated once for each connection to handle it.
1669
2190
Note: This will run in its own forked process."""
1670
2191
1671
2192
def handle(self):
1672
2193
with contextlib.closing(self.server.child_pipe) as child_pipe:
1673
2194
logger.info("TCP connection from: %s",
1674
unicode(self.client_address))
2195
str(self.client_address))
1675
2196
logger.debug("Pipe FD: %d",
1676
2197
self.server.child_pipe.fileno())
1677
1678
session = (gnutls.connection
1679
.ClientSession(self.request,
1680
gnutls.connection
1681
.X509Credentials()))
1682
1683
# Note: gnutls.connection.X509Credentials is really a
1684
# generic GnuTLS certificate credentials object so long as
1685
# no X.509 keys are added to it. Therefore, we can use it
1686
# here despite using OpenPGP certificates.
1687
1688
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1689
# "+AES-256-CBC", "+SHA1",
1690
# "+COMP-NULL", "+CTYPE-OPENPGP",
1691
# "+DHE-DSS"))
2198
2199
session = gnutls.ClientSession(self.request)
2200
2201
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2202
# "+AES-256-CBC", "+SHA1",
2203
# "+COMP-NULL", "+CTYPE-OPENPGP",
2204
# "+DHE-DSS"))
1692
2205
# Use a fallback default, since this MUST be set.
1693
2206
priority = self.server.gnutls_priority
1694
2207
if priority is None:
1695
2208
priority = "NORMAL"
1696
(gnutls.library.functions
1697
.gnutls_priority_set_direct(session._c_object,
1698
priority, None))
1699
2209
gnutls.priority_set_direct(session._c_object,
2210
priority.encode("utf-8"),
2211
None)
2212
1700
2213
# Start communication using the Mandos protocol
1701
2214
# Get protocol number
1702
2215
line = self.request.makefile().readline()
1707
2220
except (ValueError, IndexError, RuntimeError) as error:
1708
2221
logger.error("Unknown protocol version: %s", error)
1709
2222
return
1710
2223
1711
2224
# Start GnuTLS connection
1712
2225
try:
1713
2226
session.handshake()
1714
except gnutls.errors.GNUTLSError as error:
2227
except gnutls.Error as error:
1715
2228
logger.warning("Handshake failed: %s", error)
1716
2229
# Do not run session.bye() here: the session is not
1717
2230
# established. Just abandon the request.
1718
2231
return
1719
2232
logger.debug("Handshake succeeded")
1720
2233
1721
2234
approval_required = False
1722
2235
try:
1723
2236
try:
1724
fpr = self.fingerprint(self.peer_certificate
1725
(session))
1726
except (TypeError,
1727
gnutls.errors.GNUTLSError) as error:
2237
fpr = self.fingerprint(
2238
self.peer_certificate(session))
2239
except (TypeError, gnutls.Error) as error:
1728
2240
logger.warning("Bad certificate: %s", error)
1729
2241
return
1730
2242
logger.debug("Fingerprint: %s", fpr)
1731
2243
1732
2244
try:
1733
2245
client = ProxyClient(child_pipe, fpr,
1734
2246
self.client_address)
1735
2247
except KeyError:
1736
2248
return
1737
2249
1738
2250
if client.approval_delay:
1739
2251
delay = client.approval_delay
1740
2252
client.approvals_pending += 1
1741
2253
approval_required = True
1742
2254
1743
2255
while True:
1744
2256
if not client.enabled:
1745
2257
logger.info("Client %s is disabled",
1746
client.name)
2258
client.name)
1747
2259
if self.server.use_dbus:
1748
2260
# Emit D-Bus signal
1749
2261
client.Rejected("Disabled")
1750
2262
return
1751
2263
1752
2264
if client.approved or not client.approval_delay:
1753
#We are approved or approval is disabled
2265
# We are approved or approval is disabled
1754
2266
break
1755
2267
elif client.approved is None:
1756
2268
logger.info("Client %s needs approval",
1758
2270
if self.server.use_dbus:
1759
2271
# Emit D-Bus signal
1760
2272
client.NeedApproval(
1761
client.approval_delay_milliseconds(),
1762
client.approved_by_default)
2273
client.approval_delay.total_seconds()
2274
* 1000, client.approved_by_default)
1763
2275
else:
1764
2276
logger.warning("Client %s was not approved",
1765
2277
client.name)
1767
2279
# Emit D-Bus signal
1768
2280
client.Rejected("Denied")
1769
2281
return
1770
1771
#wait until timeout or approved
2282
2283
# wait until timeout or approved
1772
2284
time = datetime.datetime.now()
1773
2285
client.changedstate.acquire()
1774
client.changedstate.wait(
1775
float(timedelta_to_milliseconds(delay)
1776
/ 1000))
2286
client.changedstate.wait(delay.total_seconds())
1777
2287
client.changedstate.release()
1778
2288
time2 = datetime.datetime.now()
1779
2289
if (time2 - time) >= delay:
1789
2299
break
1790
2300
else:
1791
2301
delay -= time2 - time
1792
1793
sent_size = 0
1794
while sent_size < len(client.secret):
1795
try:
1796
sent = session.send(client.secret[sent_size:])
1797
except gnutls.errors.GNUTLSError as error:
1798
logger.warning("gnutls send failed",
1799
exc_info=error)
1800
return
1801
logger.debug("Sent: %d, remaining: %d",
1802
sent, len(client.secret)
1803
- (sent_size + sent))
1804
sent_size += sent
1805
2302
2303
try:
2304
session.send(client.secret)
2305
except gnutls.Error as error:
2306
logger.warning("gnutls send failed",
2307
exc_info=error)
2308
return
2309
1806
2310
logger.info("Sending secret to %s", client.name)
1807
2311
# bump the timeout using extended_timeout
1808
2312
client.bump_timeout(client.extended_timeout)
1809
2313
if self.server.use_dbus:
1810
2314
# Emit D-Bus signal
1811
2315
client.GotSecret()
1812
2316
1813
2317
finally:
1814
2318
if approval_required:
1815
2319
client.approvals_pending -= 1
1816
2320
try:
1817
2321
session.bye()
1818
except gnutls.errors.GNUTLSError as error:
2322
except gnutls.Error as error:
1819
2323
logger.warning("GnuTLS bye failed",
1820
2324
exc_info=error)
1821
2325
1822
2326
@staticmethod
1823
2327
def peer_certificate(session):
1824
2328
"Return the peer's OpenPGP certificate as a bytestring"
1825
2329
# If not an OpenPGP certificate...
1826
if (gnutls.library.functions
1827
.gnutls_certificate_type_get(session._c_object)
1828
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
1829
# ...do the normal thing
1830
return session.peer_certificate
2330
if (gnutls.certificate_type_get(session._c_object)
2331
!= gnutls.CRT_OPENPGP):
2332
# ...return invalid data
2333
return b""
1831
2334
list_size = ctypes.c_uint(1)
1832
cert_list = (gnutls.library.functions
1833
.gnutls_certificate_get_peers
2335
cert_list = (gnutls.certificate_get_peers
1834
2336
(session._c_object, ctypes.byref(list_size)))
1835
2337
if not bool(cert_list) and list_size.value != 0:
1836
raise gnutls.errors.GNUTLSError("error getting peer"
1837
" certificate")
2338
raise gnutls.Error("error getting peer certificate")
1838
2339
if list_size.value == 0:
1839
2340
return None
1840
2341
cert = cert_list[0]
1841
2342
return ctypes.string_at(cert.data, cert.size)
1842
2343
1843
2344
@staticmethod
1844
2345
def fingerprint(openpgp):
1845
2346
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
1846
2347
# New GnuTLS "datum" with the OpenPGP public key
1847
datum = (gnutls.library.types
1848
.gnutls_datum_t(ctypes.cast(ctypes.c_char_p(openpgp),
1849
ctypes.POINTER
1850
(ctypes.c_ubyte)),
1851
ctypes.c_uint(len(openpgp))))
2348
datum = gnutls.datum_t(
2349
ctypes.cast(ctypes.c_char_p(openpgp),
2350
ctypes.POINTER(ctypes.c_ubyte)),
2351
ctypes.c_uint(len(openpgp)))
1852
2352
# New empty GnuTLS certificate
1853
crt = gnutls.library.types.gnutls_openpgp_crt_t()
1854
(gnutls.library.functions
1855
.gnutls_openpgp_crt_init(ctypes.byref(crt)))
2353
crt = gnutls.openpgp_crt_t()
2354
gnutls.openpgp_crt_init(ctypes.byref(crt))
1856
2355
# Import the OpenPGP public key into the certificate
1857
(gnutls.library.functions
1858
.gnutls_openpgp_crt_import(crt, ctypes.byref(datum),
1859
gnutls.library.constants
1860
.GNUTLS_OPENPGP_FMT_RAW))
2356
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2357
gnutls.OPENPGP_FMT_RAW)
1861
2358
# Verify the self signature in the key
1862
2359
crtverify = ctypes.c_uint()
1863
(gnutls.library.functions
1864
.gnutls_openpgp_crt_verify_self(crt, 0,
1865
ctypes.byref(crtverify)))
2360
gnutls.openpgp_crt_verify_self(crt, 0,
2361
ctypes.byref(crtverify))
1866
2362
if crtverify.value != 0:
1867
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
1868
raise (gnutls.errors.CertificateSecurityError
1869
("Verify failed"))
2363
gnutls.openpgp_crt_deinit(crt)
2364
raise gnutls.CertificateSecurityError("Verify failed")
1870
2365
# New buffer for the fingerprint
1871
2366
buf = ctypes.create_string_buffer(20)
1872
2367
buf_len = ctypes.c_size_t()
1873
2368
# Get the fingerprint from the certificate into the buffer
1874
(gnutls.library.functions
1875
.gnutls_openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
1876
ctypes.byref(buf_len)))
2369
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2370
ctypes.byref(buf_len))
1877
2371
# Deinit the certificate
1878
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2372
gnutls.openpgp_crt_deinit(crt)
1879
2373
# Convert the buffer to a Python bytestring
1880
2374
fpr = ctypes.string_at(buf, buf_len.value)
1881
2375
# Convert the bytestring to hexadecimal notation
1885
2379
1886
2380
class MultiprocessingMixIn(object):
1887
2381
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2382
1888
2383
def sub_process_main(self, request, address):
1889
2384
try:
1890
2385
self.finish_request(request, address)
1891
2386
except Exception:
1892
2387
self.handle_error(request, address)
1893
2388
self.close_request(request)
1894
2389
1895
2390
def process_request(self, request, address):
1896
2391
"""Start a new process to process the request."""
1897
proc = multiprocessing.Process(target = self.sub_process_main,
1898
args = (request, address))
2392
proc = multiprocessing.Process(target=self.sub_process_main,
2393
args=(request, address))
1899
2394
proc.start()
1900
2395
return proc
1901
2396
1902
2397
1903
2398
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
1904
2399
""" adds a pipe to the MixIn """
2400
1905
2401
def process_request(self, request, client_address):
1906
2402
"""Overrides and wraps the original process_request().
1907
2403
1908
2404
This function creates a new pipe in self.pipe
1909
2405
"""
1910
2406
parent_pipe, self.child_pipe = multiprocessing.Pipe()
1911
2407
1912
2408
proc = MultiprocessingMixIn.process_request(self, request,
1913
2409
client_address)
1914
2410
self.child_pipe.close()
1915
2411
self.add_pipe(parent_pipe, proc)
1916
2412
1917
2413
def add_pipe(self, parent_pipe, proc):
1918
2414
"""Dummy function; override as necessary"""
1919
2415
raise NotImplementedError()
1922
2418
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
1923
2419
socketserver.TCPServer, object):
1924
2420
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
1925
2421
1926
2422
Attributes:
1927
2423
enabled: Boolean; whether this server is activated yet
1928
2424
interface: None or a network interface name (string)
1929
2425
use_ipv6: Boolean; to use IPv6 or not
1930
2426
"""
2427
1931
2428
def __init__(self, server_address, RequestHandlerClass,
1932
interface=None, use_ipv6=True, socketfd=None):
2429
interface=None,
2430
use_ipv6=True,
2431
socketfd=None):
1933
2432
"""If socketfd is set, use that file descriptor instead of
1934
2433
creating a new one with socket.socket().
1935
2434
"""
1941
2440
self.socketfd = socketfd
1942
2441
# Save the original socket.socket() function
1943
2442
self.socket_socket = socket.socket
2443
1944
2444
# To implement --socket, we monkey patch socket.socket.
1945
#
2445
#
1946
2446
# (When socketserver.TCPServer is a new-style class, we
1947
2447
# could make self.socket into a property instead of monkey
1948
2448
# patching socket.socket.)
1949
#
2449
#
1950
2450
# Create a one-time-only replacement for socket.socket()
1951
2451
@functools.wraps(socket.socket)
1952
2452
def socket_wrapper(*args, **kwargs):
1964
2464
# socket_wrapper(), if socketfd was set.
1965
2465
socketserver.TCPServer.__init__(self, server_address,
1966
2466
RequestHandlerClass)
1967
2467
1968
2468
def server_bind(self):
1969
2469
"""This overrides the normal server_bind() function
1970
2470
to bind to an interface if one was specified, and also NOT to
1971
2471
bind to an address or port if they were not specified."""
2472
global SO_BINDTODEVICE
1972
2473
if self.interface is not None:
1973
2474
if SO_BINDTODEVICE is None:
1974
logger.error("SO_BINDTODEVICE does not exist;"
1975
" cannot bind to interface %s",
1976
self.interface)
1977
else:
1978
try:
1979
self.socket.setsockopt(socket.SOL_SOCKET,
1980
SO_BINDTODEVICE,
1981
str(self.interface + '\0'))
1982
except socket.error as error:
1983
if error.errno == errno.EPERM:
1984
logger.error("No permission to bind to"
1985
" interface %s", self.interface)
1986
elif error.errno == errno.ENOPROTOOPT:
1987
logger.error("SO_BINDTODEVICE not available;"
1988
" cannot bind to interface %s",
1989
self.interface)
1990
elif error.errno == errno.ENODEV:
1991
logger.error("Interface %s does not exist,"
1992
" cannot bind", self.interface)
1993
else:
1994
raise
2475
# Fall back to a hard-coded value which seems to be
2476
# common enough.
2477
logger.warning("SO_BINDTODEVICE not found, trying 25")
2478
SO_BINDTODEVICE = 25
2479
try:
2480
self.socket.setsockopt(
2481
socket.SOL_SOCKET, SO_BINDTODEVICE,
2482
(self.interface + "\0").encode("utf-8"))
2483
except socket.error as error:
2484
if error.errno == errno.EPERM:
2485
logger.error("No permission to bind to"
2486
" interface %s", self.interface)
2487
elif error.errno == errno.ENOPROTOOPT:
2488
logger.error("SO_BINDTODEVICE not available;"
2489
" cannot bind to interface %s",
2490
self.interface)
2491
elif error.errno == errno.ENODEV:
2492
logger.error("Interface %s does not exist,"
2493
" cannot bind", self.interface)
2494
else:
2495
raise
1995
2496
# Only bind(2) the socket if we really need to.
1996
2497
if self.server_address[0] or self.server_address[1]:
1997
2498
if not self.server_address[0]:
1998
2499
if self.address_family == socket.AF_INET6:
1999
any_address = "::" # in6addr_any
2500
any_address = "::" # in6addr_any
2000
2501
else:
2001
any_address = "0.0.0.0" # INADDR_ANY
2502
any_address = "0.0.0.0" # INADDR_ANY
2002
2503
self.server_address = (any_address,
2003
2504
self.server_address[1])
2004
2505
elif not self.server_address[1]:
2005
self.server_address = (self.server_address[0],
2006
0)
2506
self.server_address = (self.server_address[0], 0)
2007
2507
# if self.interface:
2008
2508
# self.server_address = (self.server_address[0],
2009
2509
# 0, # port
2015
2515
2016
2516
class MandosServer(IPv6_TCPServer):
2017
2517
"""Mandos server.
2018
2518
2019
2519
Attributes:
2020
2520
clients: set of Client objects
2021
2521
gnutls_priority GnuTLS priority string
2022
2522
use_dbus: Boolean; to emit D-Bus signals or not
2023
2024
Assumes a gobject.MainLoop event loop.
2523
2524
Assumes a GLib.MainLoop event loop.
2025
2525
"""
2526
2026
2527
def __init__(self, server_address, RequestHandlerClass,
2027
interface=None, use_ipv6=True, clients=None,
2028
gnutls_priority=None, use_dbus=True, socketfd=None):
2528
interface=None,
2529
use_ipv6=True,
2530
clients=None,
2531
gnutls_priority=None,
2532
use_dbus=True,
2533
socketfd=None):
2029
2534
self.enabled = False
2030
2535
self.clients = clients
2031
2536
if self.clients is None:
2034
2539
self.gnutls_priority = gnutls_priority
2035
2540
IPv6_TCPServer.__init__(self, server_address,
2036
2541
RequestHandlerClass,
2037
interface = interface,
2038
use_ipv6 = use_ipv6,
2039
socketfd = socketfd)
2542
interface=interface,
2543
use_ipv6=use_ipv6,
2544
socketfd=socketfd)
2545
2040
2546
def server_activate(self):
2041
2547
if self.enabled:
2042
2548
return socketserver.TCPServer.server_activate(self)
2043
2549
2044
2550
def enable(self):
2045
2551
self.enabled = True
2046
2552
2047
2553
def add_pipe(self, parent_pipe, proc):
2048
2554
# Call "handle_ipc" for both data and EOF events
2049
gobject.io_add_watch(parent_pipe.fileno(),
2050
gobject.IO_IN | gobject.IO_HUP,
2051
functools.partial(self.handle_ipc,
2052
parent_pipe =
2053
parent_pipe,
2054
proc = proc))
2055
2056
def handle_ipc(self, source, condition, parent_pipe=None,
2057
proc = None, client_object=None):
2555
GLib.io_add_watch(
2556
parent_pipe.fileno(),
2557
GLib.IO_IN | GLib.IO_HUP,
2558
functools.partial(self.handle_ipc,
2559
parent_pipe=parent_pipe,
2560
proc=proc))
2561
2562
def handle_ipc(self, source, condition,
2563
parent_pipe=None,
2564
proc=None,
2565
client_object=None):
2058
2566
# error, or the other end of multiprocessing.Pipe has closed
2059
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2567
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2060
2568
# Wait for other process to exit
2061
2569
proc.join()
2062
2570
return False
2063
2571
2064
2572
# Read a request from the child
2065
2573
request = parent_pipe.recv()
2066
2574
command = request[0]
2067
2575
2068
2576
if command == 'init':
2069
2577
fpr = request[1]
2070
2578
address = request[2]
2071
2072
for c in self.clients.itervalues():
2579
2580
for c in self.clients.values():
2073
2581
if c.fingerprint == fpr:
2074
2582
client = c
2075
2583
break
2082
2590
address[0])
2083
2591
parent_pipe.send(False)
2084
2592
return False
2085
2086
gobject.io_add_watch(parent_pipe.fileno(),
2087
gobject.IO_IN | gobject.IO_HUP,
2088
functools.partial(self.handle_ipc,
2089
parent_pipe =
2090
parent_pipe,
2091
proc = proc,
2092
client_object =
2093
client))
2593
2594
GLib.io_add_watch(
2595
parent_pipe.fileno(),
2596
GLib.IO_IN | GLib.IO_HUP,
2597
functools.partial(self.handle_ipc,
2598
parent_pipe=parent_pipe,
2599
proc=proc,
2600
client_object=client))
2094
2601
parent_pipe.send(True)
2095
2602
# remove the old hook in favor of the new above hook on
2096
2603
# same fileno
2099
2606
funcname = request[1]
2100
2607
args = request[2]
2101
2608
kwargs = request[3]
2102
2609
2103
2610
parent_pipe.send(('data', getattr(client_object,
2104
2611
funcname)(*args,
2105
**kwargs)))
2106
2612
**kwargs)))
2613
2107
2614
if command == 'getattr':
2108
2615
attrname = request[1]
2109
if callable(client_object.__getattribute__(attrname)):
2110
parent_pipe.send(('function',))
2616
if isinstance(client_object.__getattribute__(attrname),
2617
collections.Callable):
2618
parent_pipe.send(('function', ))
2111
2619
else:
2112
parent_pipe.send(('data', client_object
2113
.__getattribute__(attrname)))
2114
2620
parent_pipe.send((
2621
'data', client_object.__getattribute__(attrname)))
2622
2115
2623
if command == 'setattr':
2116
2624
attrname = request[1]
2117
2625
value = request[2]
2118
2626
setattr(client_object, attrname, value)
2119
2627
2120
2628
return True
2121
2629
2122
2630
2123
2631
def rfc3339_duration_to_delta(duration):
2124
2632
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2125
2633
2126
2634
>>> rfc3339_duration_to_delta("P7D")
2127
2635
datetime.timedelta(7)
2128
2636
>>> rfc3339_duration_to_delta("PT60S")
2138
2646
>>> rfc3339_duration_to_delta("P1DT3M20S")
2139
2647
datetime.timedelta(1, 200)
2140
2648
"""
2141
2649
2142
2650
# Parsing an RFC 3339 duration with regular expressions is not
2143
2651
# possible - there would have to be multiple places for the same
2144
2652
# values, like seconds. The current code, while more esoteric, is
2145
2653
# cleaner without depending on a parsing library. If Python had a
2146
2654
# built-in library for parsing we would use it, but we'd like to
2147
2655
# avoid excessive use of external libraries.
2148
2656
2149
2657
# New type for defining tokens, syntax, and semantics all-in-one
2150
Token = collections.namedtuple("Token",
2151
("regexp", # To match token; if
2152
# "value" is not None,
2153
# must have a "group"
2154
# containing digits
2155
"value", # datetime.timedelta or
2156
# None
2157
"followers")) # Tokens valid after
2158
# this token
2658
Token = collections.namedtuple("Token", (
2659
"regexp", # To match token; if "value" is not None, must have
2660
# a "group" containing digits
2661
"value", # datetime.timedelta or None
2662
"followers")) # Tokens valid after this token
2159
2663
# RFC 3339 "duration" tokens, syntax, and semantics; taken from
2160
2664
# the "duration" ABNF definition in RFC 3339, Appendix A.
2161
2665
token_end = Token(re.compile(r"$"), None, frozenset())
2162
2666
token_second = Token(re.compile(r"(\d+)S"),
2163
2667
datetime.timedelta(seconds=1),
2164
frozenset((token_end,)))
2668
frozenset((token_end, )))
2165
2669
token_minute = Token(re.compile(r"(\d+)M"),
2166
2670
datetime.timedelta(minutes=1),
2167
2671
frozenset((token_second, token_end)))
2183
2687
frozenset((token_month, token_end)))
2184
2688
token_week = Token(re.compile(r"(\d+)W"),
2185
2689
datetime.timedelta(weeks=1),
2186
frozenset((token_end,)))
2690
frozenset((token_end, )))
2187
2691
token_duration = Token(re.compile(r"P"), None,
2188
2692
frozenset((token_year, token_month,
2189
2693
token_day, token_time,
2190
token_week))),
2191
# Define starting values
2192
value = datetime.timedelta() # Value so far
2694
token_week)))
2695
# Define starting values:
2696
# Value so far
2697
value = datetime.timedelta()
2193
2698
found_token = None
2194
followers = frozenset(token_duration,) # Following valid tokens
2195
s = duration # String left to parse
2699
# Following valid tokens
2700
followers = frozenset((token_duration, ))
2701
# String left to parse
2702
s = duration
2196
2703
# Loop until end token is found
2197
2704
while found_token is not token_end:
2198
2705
# Search for any currently valid tokens
2214
2721
break
2215
2722
else:
2216
2723
# No currently valid tokens were found
2217
raise ValueError("Invalid RFC 3339 duration")
2724
raise ValueError("Invalid RFC 3339 duration: {!r}"
2725
.format(duration))
2218
2726
# End token found
2219
2727
return value
2220
2728
2221
2729
2222
2730
def string_to_delta(interval):
2223
2731
"""Parse a string and return a datetime.timedelta
2224
2732
2225
2733
>>> string_to_delta('7d')
2226
2734
datetime.timedelta(7)
2227
2735
>>> string_to_delta('60s')
2235
2743
>>> string_to_delta('5m 30s')
2236
2744
datetime.timedelta(0, 330)
2237
2745
"""
2238
2746
2239
2747
try:
2240
2748
return rfc3339_duration_to_delta(interval)
2241
2749
except ValueError:
2242
2750
pass
2243
2751
2244
2752
timevalue = datetime.timedelta(0)
2245
2753
for s in interval.split():
2246
2754
try:
2247
suffix = unicode(s[-1])
2755
suffix = s[-1]
2248
2756
value = int(s[:-1])
2249
2757
if suffix == "d":
2250
2758
delta = datetime.timedelta(value)
2257
2765
elif suffix == "w":
2258
2766
delta = datetime.timedelta(0, 0, 0, 0, 0, 0, value)
2259
2767
else:
2260
raise ValueError("Unknown suffix {0!r}"
2261
.format(suffix))
2768
raise ValueError("Unknown suffix {!r}".format(suffix))
2262
2769
except IndexError as e:
2263
2770
raise ValueError(*(e.args))
2264
2771
timevalue += delta
2265
2772
return timevalue
2266
2773
2267
2774
2268
def daemon(nochdir = False, noclose = False):
2775
def daemon(nochdir=False, noclose=False):
2269
2776
"""See daemon(3). Standard BSD Unix function.
2270
2777
2271
2778
This should really exist as os.daemon, but it doesn't (yet)."""
2272
2779
if os.fork():
2273
2780
sys.exit()
2281
2788
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2282
2789
if not stat.S_ISCHR(os.fstat(null).st_mode):
2283
2790
raise OSError(errno.ENODEV,
2284
"{0} not a character device"
2791
"{} not a character device"
2285
2792
.format(os.devnull))
2286
2793
os.dup2(null, sys.stdin.fileno())
2287
2794
os.dup2(null, sys.stdout.fileno())
2291
2798
2292
2799
2293
2800
def main():
2294
2801
2295
2802
##################################################################
2296
2803
# Parsing of options, both command line and config file
2297
2804
2298
2805
parser = argparse.ArgumentParser()
2299
2806
parser.add_argument("-v", "--version", action="version",
2300
version = "%(prog)s {0}".format(version),
2807
version="%(prog)s {}".format(version),
2301
2808
help="show version number and exit")
2302
2809
parser.add_argument("-i", "--interface", metavar="IF",
2303
2810
help="Bind to interface IF")
2336
2843
help="Directory to save/restore state in")
2337
2844
parser.add_argument("--foreground", action="store_true",
2338
2845
help="Run in foreground", default=None)
2339
2846
parser.add_argument("--no-zeroconf", action="store_false",
2847
dest="zeroconf", help="Do not use Zeroconf",
2848
default=None)
2849
2340
2850
options = parser.parse_args()
2341
2851
2342
2852
if options.check:
2343
2853
import doctest
2344
doctest.testmod()
2345
sys.exit()
2346
2854
fail_count, test_count = doctest.testmod()
2855
sys.exit(os.EX_OK if fail_count == 0 else 1)
2856
2347
2857
# Default values for config file for server-global settings
2348
server_defaults = { "interface": "",
2349
"address": "",
2350
"port": "",
2351
"debug": "False",
2352
"priority":
2353
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160",
2354
"servicename": "Mandos",
2355
"use_dbus": "True",
2356
"use_ipv6": "True",
2357
"debuglevel": "",
2358
"restore": "True",
2359
"socket": "",
2360
"statedir": "/var/lib/mandos",
2361
"foreground": "False",
2362
}
2363
2858
server_defaults = {"interface": "",
2859
"address": "",
2860
"port": "",
2861
"debug": "False",
2862
"priority":
2863
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2864
":+SIGN-DSA-SHA256",
2865
"servicename": "Mandos",
2866
"use_dbus": "True",
2867
"use_ipv6": "True",
2868
"debuglevel": "",
2869
"restore": "True",
2870
"socket": "",
2871
"statedir": "/var/lib/mandos",
2872
"foreground": "False",
2873
"zeroconf": "True",
2874
}
2875
2364
2876
# Parse config file for server-global settings
2365
2877
server_config = configparser.SafeConfigParser(server_defaults)
2366
2878
del server_defaults
2367
server_config.read(os.path.join(options.configdir,
2368
"mandos.conf"))
2879
server_config.read(os.path.join(options.configdir, "mandos.conf"))
2369
2880
# Convert the SafeConfigParser object to a dict
2370
2881
server_settings = server_config.defaults()
2371
2882
# Use the appropriate methods on the non-string config options
2385
2896
server_settings["socket"] = os.dup(server_settings
2386
2897
["socket"])
2387
2898
del server_config
2388
2899
2389
2900
# Override the settings from the config file with command line
2390
2901
# options, if set.
2391
2902
for option in ("interface", "address", "port", "debug",
2392
"priority", "servicename", "configdir",
2393
"use_dbus", "use_ipv6", "debuglevel", "restore",
2394
"statedir", "socket", "foreground"):
2903
"priority", "servicename", "configdir", "use_dbus",
2904
"use_ipv6", "debuglevel", "restore", "statedir",
2905
"socket", "foreground", "zeroconf"):
2395
2906
value = getattr(options, option)
2396
2907
if value is not None:
2397
2908
server_settings[option] = value
2398
2909
del options
2399
2910
# Force all strings to be unicode
2400
2911
for option in server_settings.keys():
2401
if type(server_settings[option]) is str:
2402
server_settings[option] = unicode(server_settings[option])
2912
if isinstance(server_settings[option], bytes):
2913
server_settings[option] = (server_settings[option]
2914
.decode("utf-8"))
2403
2915
# Force all boolean options to be boolean
2404
2916
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2405
"foreground"):
2917
"foreground", "zeroconf"):
2406
2918
server_settings[option] = bool(server_settings[option])
2407
2919
# Debug implies foreground
2408
2920
if server_settings["debug"]:
2409
2921
server_settings["foreground"] = True
2410
2922
# Now we have our good server settings in "server_settings"
2411
2923
2412
2924
##################################################################
2413
2925
2926
if (not server_settings["zeroconf"]
2927
and not (server_settings["port"]
2928
or server_settings["socket"] != "")):
2929
parser.error("Needs port or socket to work without Zeroconf")
2930
2414
2931
# For convenience
2415
2932
debug = server_settings["debug"]
2416
2933
debuglevel = server_settings["debuglevel"]
2419
2936
stored_state_path = os.path.join(server_settings["statedir"],
2420
2937
stored_state_file)
2421
2938
foreground = server_settings["foreground"]
2422
2939
zeroconf = server_settings["zeroconf"]
2940
2423
2941
if debug:
2424
2942
initlogger(debug, logging.DEBUG)
2425
2943
else:
2428
2946
else:
2429
2947
level = getattr(logging, debuglevel.upper())
2430
2948
initlogger(debug, level)
2431
2949
2432
2950
if server_settings["servicename"] != "Mandos":
2433
syslogger.setFormatter(logging.Formatter
2434
('Mandos ({0}) [%(process)d]:'
2435
' %(levelname)s: %(message)s'
2436
.format(server_settings
2437
["servicename"])))
2438
2951
syslogger.setFormatter(
2952
logging.Formatter('Mandos ({}) [%(process)d]:'
2953
' %(levelname)s: %(message)s'.format(
2954
server_settings["servicename"])))
2955
2439
2956
# Parse config file with clients
2440
2957
client_config = configparser.SafeConfigParser(Client
2441
2958
.client_defaults)
2442
2959
client_config.read(os.path.join(server_settings["configdir"],
2443
2960
"clients.conf"))
2444
2961
2445
2962
global mandos_dbus_service
2446
2963
mandos_dbus_service = None
2447
2448
tcp_server = MandosServer((server_settings["address"],
2449
server_settings["port"]),
2450
ClientHandler,
2451
interface=(server_settings["interface"]
2452
or None),
2453
use_ipv6=use_ipv6,
2454
gnutls_priority=
2455
server_settings["priority"],
2456
use_dbus=use_dbus,
2457
socketfd=(server_settings["socket"]
2458
or None))
2964
2965
socketfd = None
2966
if server_settings["socket"] != "":
2967
socketfd = server_settings["socket"]
2968
tcp_server = MandosServer(
2969
(server_settings["address"], server_settings["port"]),
2970
ClientHandler,
2971
interface=(server_settings["interface"] or None),
2972
use_ipv6=use_ipv6,
2973
gnutls_priority=server_settings["priority"],
2974
use_dbus=use_dbus,
2975
socketfd=socketfd)
2459
2976
if not foreground:
2460
2977
pidfilename = "/run/mandos.pid"
2461
2978
if not os.path.isdir("/run/."):
2462
2979
pidfilename = "/var/run/mandos.pid"
2463
2980
pidfile = None
2464
2981
try:
2465
pidfile = open(pidfilename, "w")
2982
pidfile = codecs.open(pidfilename, "w", encoding="utf-8")
2466
2983
except IOError as e:
2467
2984
logger.error("Could not open file %r", pidfilename,
2468
2985
exc_info=e)
2469
2470
for name in ("_mandos", "mandos", "nobody"):
2986
2987
for name, group in (("_mandos", "_mandos"),
2988
("mandos", "mandos"),
2989
("nobody", "nogroup")):
2471
2990
try:
2472
2991
uid = pwd.getpwnam(name).pw_uid
2473
gid = pwd.getpwnam(name).pw_gid
2992
gid = pwd.getpwnam(group).pw_gid
2474
2993
break
2475
2994
except KeyError:
2476
2995
continue
2480
2999
try:
2481
3000
os.setgid(gid)
2482
3001
os.setuid(uid)
3002
if debug:
3003
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3004
gid))
2483
3005
except OSError as error:
3006
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3007
.format(uid, gid, os.strerror(error.errno)))
2484
3008
if error.errno != errno.EPERM:
2485
3009
raise
2486
3010
2487
3011
if debug:
2488
3012
# Enable all possible GnuTLS debugging
2489
3013
2490
3014
# "Use a log level over 10 to enable all debugging options."
2491
3015
# - GnuTLS manual
2492
gnutls.library.functions.gnutls_global_set_log_level(11)
2493
2494
@gnutls.library.types.gnutls_log_func
3016
gnutls.global_set_log_level(11)
3017
3018
@gnutls.log_func
2495
3019
def debug_gnutls(level, string):
2496
3020
logger.debug("GnuTLS: %s", string[:-1])
2497
2498
(gnutls.library.functions
2499
.gnutls_global_set_log_function(debug_gnutls))
2500
3021
3022
gnutls.global_set_log_function(debug_gnutls)
3023
2501
3024
# Redirect stdin so all checkers get /dev/null
2502
3025
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2503
3026
os.dup2(null, sys.stdin.fileno())
2504
3027
if null > 2:
2505
3028
os.close(null)
2506
3029
2507
3030
# Need to fork before connecting to D-Bus
2508
3031
if not foreground:
2509
3032
# Close all input and output, do double fork, etc.
2510
3033
daemon()
2511
2512
# multiprocessing will use threads, so before we use gobject we
2513
# need to inform gobject that threads will be used.
2514
gobject.threads_init()
2515
3034
3035
# multiprocessing will use threads, so before we use GLib we need
3036
# to inform GLib that threads will be used.
3037
GLib.threads_init()
3038
2516
3039
global main_loop
2517
3040
# From the Avahi example code
2518
3041
DBusGMainLoop(set_as_default=True)
2519
main_loop = gobject.MainLoop()
3042
main_loop = GLib.MainLoop()
2520
3043
bus = dbus.SystemBus()
2521
3044
# End of Avahi example code
2522
3045
if use_dbus:
2523
3046
try:
2524
3047
bus_name = dbus.service.BusName("se.recompile.Mandos",
2525
bus, do_not_queue=True)
2526
old_bus_name = (dbus.service.BusName
2527
("se.bsnet.fukt.Mandos", bus,
2528
do_not_queue=True))
2529
except dbus.exceptions.NameExistsException as e:
3048
bus,
3049
do_not_queue=True)
3050
old_bus_name = dbus.service.BusName(
3051
"se.bsnet.fukt.Mandos", bus,
3052
do_not_queue=True)
3053
except dbus.exceptions.DBusException as e:
2530
3054
logger.error("Disabling D-Bus:", exc_info=e)
2531
3055
use_dbus = False
2532
3056
server_settings["use_dbus"] = False
2533
3057
tcp_server.use_dbus = False
2534
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2535
service = AvahiServiceToSyslog(name =
2536
server_settings["servicename"],
2537
servicetype = "_mandos._tcp",
2538
protocol = protocol, bus = bus)
2539
if server_settings["interface"]:
2540
service.interface = (if_nametoindex
2541
(str(server_settings["interface"])))
2542
3058
if zeroconf:
3059
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
3060
service = AvahiServiceToSyslog(
3061
name=server_settings["servicename"],
3062
servicetype="_mandos._tcp",
3063
protocol=protocol,
3064
bus=bus)
3065
if server_settings["interface"]:
3066
service.interface = if_nametoindex(
3067
server_settings["interface"].encode("utf-8"))
3068
2543
3069
global multiprocessing_manager
2544
3070
multiprocessing_manager = multiprocessing.Manager()
2545
3071
2546
3072
client_class = Client
2547
3073
if use_dbus:
2548
client_class = functools.partial(ClientDBus, bus = bus)
2549
3074
client_class = functools.partial(ClientDBus, bus=bus)
3075
2550
3076
client_settings = Client.config_parser(client_config)
2551
3077
old_client_settings = {}
2552
3078
clients_data = {}
2553
3079
2554
3080
# This is used to redirect stdout and stderr for checker processes
2555
3081
global wnull
2556
wnull = open(os.devnull, "w") # A writable /dev/null
3082
wnull = open(os.devnull, "w") # A writable /dev/null
2557
3083
# Only used if server is running in foreground but not in debug
2558
3084
# mode
2559
3085
if debug or not foreground:
2560
3086
wnull.close()
2561
3087
2562
3088
# Get client data and settings from last running state.
2563
3089
if server_settings["restore"]:
2564
3090
try:
2565
3091
with open(stored_state_path, "rb") as stored_state:
2566
clients_data, old_client_settings = (pickle.load
2567
(stored_state))
3092
if sys.version_info.major == 2:
3093
clients_data, old_client_settings = pickle.load(
3094
stored_state)
3095
else:
3096
bytes_clients_data, bytes_old_client_settings = (
3097
pickle.load(stored_state, encoding="bytes"))
3098
# Fix bytes to strings
3099
# clients_data
3100
# .keys()
3101
clients_data = {(key.decode("utf-8")
3102
if isinstance(key, bytes)
3103
else key): value
3104
for key, value in
3105
bytes_clients_data.items()}
3106
del bytes_clients_data
3107
for key in clients_data:
3108
value = {(k.decode("utf-8")
3109
if isinstance(k, bytes) else k): v
3110
for k, v in
3111
clients_data[key].items()}
3112
clients_data[key] = value
3113
# .client_structure
3114
value["client_structure"] = [
3115
(s.decode("utf-8")
3116
if isinstance(s, bytes)
3117
else s) for s in
3118
value["client_structure"]]
3119
# .name & .host
3120
for k in ("name", "host"):
3121
if isinstance(value[k], bytes):
3122
value[k] = value[k].decode("utf-8")
3123
# old_client_settings
3124
# .keys()
3125
old_client_settings = {
3126
(key.decode("utf-8")
3127
if isinstance(key, bytes)
3128
else key): value
3129
for key, value in
3130
bytes_old_client_settings.items()}
3131
del bytes_old_client_settings
3132
# .host
3133
for value in old_client_settings.values():
3134
if isinstance(value["host"], bytes):
3135
value["host"] = (value["host"]
3136
.decode("utf-8"))
2568
3137
os.remove(stored_state_path)
2569
3138
except IOError as e:
2570
3139
if e.errno == errno.ENOENT:
2571
logger.warning("Could not load persistent state: {0}"
2572
.format(os.strerror(e.errno)))
3140
logger.warning("Could not load persistent state:"
3141
" {}".format(os.strerror(e.errno)))
2573
3142
else:
2574
3143
logger.critical("Could not load persistent state:",
2575
3144
exc_info=e)
2576
3145
raise
2577
3146
except EOFError as e:
2578
3147
logger.warning("Could not load persistent state: "
2579
"EOFError:", exc_info=e)
2580
3148
"EOFError:",
3149
exc_info=e)
3150
2581
3151
with PGPEngine() as pgp:
2582
for client_name, client in clients_data.iteritems():
3152
for client_name, client in clients_data.items():
2583
3153
# Skip removed clients
2584
3154
if client_name not in client_settings:
2585
3155
continue
2586
3156
2587
3157
# Decide which value to use after restoring saved state.
2588
3158
# We have three different values: Old config file,
2589
3159
# new config file, and saved state.
2594
3164
# For each value in new config, check if it
2595
3165
# differs from the old config value (Except for
2596
3166
# the "secret" attribute)
2597
if (name != "secret" and
2598
value != old_client_settings[client_name]
2599
[name]):
3167
if (name != "secret"
3168
and (value !=
3169
old_client_settings[client_name][name])):
2600
3170
client[name] = value
2601
3171
except KeyError:
2602
3172
pass
2603
3173
2604
3174
# Clients who has passed its expire date can still be
2605
# enabled if its last checker was successful. Clients
3175
# enabled if its last checker was successful. A Client
2606
3176
# whose checker succeeded before we stored its state is
2607
3177
# assumed to have successfully run all checkers during
2608
3178
# downtime.
2610
3180
if datetime.datetime.utcnow() >= client["expires"]:
2611
3181
if not client["last_checked_ok"]:
2612
3182
logger.warning(
2613
"disabling client {0} - Client never "
2614
"performed a successful checker"
2615
.format(client_name))
3183
"disabling client {} - Client never "
3184
"performed a successful checker".format(
3185
client_name))
2616
3186
client["enabled"] = False
2617
3187
elif client["last_checker_status"] != 0:
2618
3188
logger.warning(
2619
"disabling client {0} - Client "
2620
"last checker failed with error code {1}"
2621
.format(client_name,
2622
client["last_checker_status"]))
3189
"disabling client {} - Client last"
3190
" checker failed with error code"
3191
" {}".format(
3192
client_name,
3193
client["last_checker_status"]))
2623
3194
client["enabled"] = False
2624
3195
else:
2625
client["expires"] = (datetime.datetime
2626
.utcnow()
2627
+ client["timeout"])
3196
client["expires"] = (
3197
datetime.datetime.utcnow()
3198
+ client["timeout"])
2628
3199
logger.debug("Last checker succeeded,"
2629
" keeping {0} enabled"
2630
.format(client_name))
3200
" keeping {} enabled".format(
3201
client_name))
2631
3202
try:
2632
client["secret"] = (
2633
pgp.decrypt(client["encrypted_secret"],
2634
client_settings[client_name]
2635
["secret"]))
3203
client["secret"] = pgp.decrypt(
3204
client["encrypted_secret"],
3205
client_settings[client_name]["secret"])
2636
3206
except PGPError:
2637
3207
# If decryption fails, we use secret from new settings
2638
logger.debug("Failed to decrypt {0} old secret"
2639
.format(client_name))
2640
client["secret"] = (
2641
client_settings[client_name]["secret"])
2642
3208
logger.debug("Failed to decrypt {} old secret".format(
3209
client_name))
3210
client["secret"] = (client_settings[client_name]
3211
["secret"])
3212
2643
3213
# Add/remove clients based on new changes made to config
2644
3214
for client_name in (set(old_client_settings)
2645
3215
- set(client_settings)):
2647
3217
for client_name in (set(client_settings)
2648
3218
- set(old_client_settings)):
2649
3219
clients_data[client_name] = client_settings[client_name]
2650
3220
2651
3221
# Create all client objects
2652
for client_name, client in clients_data.iteritems():
3222
for client_name, client in clients_data.items():
2653
3223
tcp_server.clients[client_name] = client_class(
2654
name = client_name, settings = client,
2655
server_settings = server_settings)
2656
3224
name=client_name,
3225
settings=client,
3226
server_settings=server_settings)
3227
2657
3228
if not tcp_server.clients:
2658
3229
logger.warning("No clients defined")
2659
3230
2660
3231
if not foreground:
2661
3232
if pidfile is not None:
3233
pid = os.getpid()
2662
3234
try:
2663
3235
with pidfile:
2664
pid = os.getpid()
2665
pidfile.write(str(pid) + "\n".encode("utf-8"))
3236
print(pid, file=pidfile)
2666
3237
except IOError:
2667
3238
logger.error("Could not write to file %r with PID %d",
2668
3239
pidfilename, pid)
2669
3240
del pidfile
2670
3241
del pidfilename
2671
2672
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2673
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2674
3242
3243
for termsig in (signal.SIGHUP, signal.SIGTERM):
3244
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3245
lambda: main_loop.quit() and False)
3246
2675
3247
if use_dbus:
2676
@alternate_dbus_interfaces({"se.recompile.Mandos":
2677
"se.bsnet.fukt.Mandos"})
2678
class MandosDBusService(DBusObjectWithProperties):
3248
3249
@alternate_dbus_interfaces(
3250
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
3251
class MandosDBusService(DBusObjectWithObjectManager):
2679
3252
"""A D-Bus proxy object"""
3253
2680
3254
def __init__(self):
2681
3255
dbus.service.Object.__init__(self, bus, "/")
3256
2682
3257
_interface = "se.recompile.Mandos"
2683
2684
@dbus_interface_annotations(_interface)
2685
def _foo(self):
2686
return { "org.freedesktop.DBus.Property"
2687
".EmitsChangedSignal":
2688
"false"}
2689
3258
2690
3259
@dbus.service.signal(_interface, signature="o")
2691
3260
def ClientAdded(self, objpath):
2692
3261
"D-Bus signal"
2693
3262
pass
2694
3263
2695
3264
@dbus.service.signal(_interface, signature="ss")
2696
3265
def ClientNotFound(self, fingerprint, address):
2697
3266
"D-Bus signal"
2698
3267
pass
2699
3268
3269
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3270
"true"})
2700
3271
@dbus.service.signal(_interface, signature="os")
2701
3272
def ClientRemoved(self, objpath, name):
2702
3273
"D-Bus signal"
2703
3274
pass
2704
3275
3276
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3277
"true"})
2705
3278
@dbus.service.method(_interface, out_signature="ao")
2706
3279
def GetAllClients(self):
2707
3280
"D-Bus method"
2708
return dbus.Array(c.dbus_object_path
2709
for c in
2710
tcp_server.clients.itervalues())
2711
3281
return dbus.Array(c.dbus_object_path for c in
3282
tcp_server.clients.values())
3283
3284
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
3285
"true"})
2712
3286
@dbus.service.method(_interface,
2713
3287
out_signature="a{oa{sv}}")
2714
3288
def GetAllClientsWithProperties(self):
2715
3289
"D-Bus method"
2716
3290
return dbus.Dictionary(
2717
((c.dbus_object_path, c.GetAll(""))
2718
for c in tcp_server.clients.itervalues()),
3291
{c.dbus_object_path: c.GetAll(
3292
"se.recompile.Mandos.Client")
3293
for c in tcp_server.clients.values()},
2719
3294
signature="oa{sv}")
2720
3295
2721
3296
@dbus.service.method(_interface, in_signature="o")
2722
3297
def RemoveClient(self, object_path):
2723
3298
"D-Bus method"
2724
for c in tcp_server.clients.itervalues():
3299
for c in tcp_server.clients.values():
2725
3300
if c.dbus_object_path == object_path:
2726
3301
del tcp_server.clients[c.name]
2727
3302
c.remove_from_connection()
2728
# Don't signal anything except ClientRemoved
3303
# Don't signal the disabling
2729
3304
c.disable(quiet=True)
2730
# Emit D-Bus signal
2731
self.ClientRemoved(object_path, c.name)
3305
# Emit D-Bus signal for removal
3306
self.client_removed_signal(c)
2732
3307
return
2733
3308
raise KeyError(object_path)
2734
3309
2735
3310
del _interface
2736
3311
3312
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
3313
out_signature="a{oa{sa{sv}}}")
3314
def GetManagedObjects(self):
3315
"""D-Bus method"""
3316
return dbus.Dictionary(
3317
{client.dbus_object_path:
3318
dbus.Dictionary(
3319
{interface: client.GetAll(interface)
3320
for interface in
3321
client._get_all_interface_names()})
3322
for client in tcp_server.clients.values()})
3323
3324
def client_added_signal(self, client):
3325
"""Send the new standard signal and the old signal"""
3326
if use_dbus:
3327
# New standard signal
3328
self.InterfacesAdded(
3329
client.dbus_object_path,
3330
dbus.Dictionary(
3331
{interface: client.GetAll(interface)
3332
for interface in
3333
client._get_all_interface_names()}))
3334
# Old signal
3335
self.ClientAdded(client.dbus_object_path)
3336
3337
def client_removed_signal(self, client):
3338
"""Send the new standard signal and the old signal"""
3339
if use_dbus:
3340
# New standard signal
3341
self.InterfacesRemoved(
3342
client.dbus_object_path,
3343
client._get_all_interface_names())
3344
# Old signal
3345
self.ClientRemoved(client.dbus_object_path,
3346
client.name)
3347
2737
3348
mandos_dbus_service = MandosDBusService()
2738
3349
3350
# Save modules to variables to exempt the modules from being
3351
# unloaded before the function registered with atexit() is run.
3352
mp = multiprocessing
3353
wn = wnull
3354
2739
3355
def cleanup():
2740
3356
"Cleanup function; run on exit"
2741
service.cleanup()
2742
2743
multiprocessing.active_children()
2744
wnull.close()
3357
if zeroconf:
3358
service.cleanup()
3359
3360
mp.active_children()
3361
wn.close()
2745
3362
if not (tcp_server.clients or client_settings):
2746
3363
return
2747
3364
2748
3365
# Store client before exiting. Secrets are encrypted with key
2749
3366
# based on what config file has. If config file is
2750
3367
# removed/edited, old secret will thus be unrecovable.
2751
3368
clients = {}
2752
3369
with PGPEngine() as pgp:
2753
for client in tcp_server.clients.itervalues():
3370
for client in tcp_server.clients.values():
2754
3371
key = client_settings[client.name]["secret"]
2755
3372
client.encrypted_secret = pgp.encrypt(client.secret,
2756
3373
key)
2757
3374
client_dict = {}
2758
3375
2759
3376
# A list of attributes that can not be pickled
2760
3377
# + secret.
2761
exclude = set(("bus", "changedstate", "secret",
2762
"checker", "server_settings"))
2763
for name, typ in (inspect.getmembers
2764
(dbus.service.Object)):
3378
exclude = {"bus", "changedstate", "secret",
3379
"checker", "server_settings"}
3380
for name, typ in inspect.getmembers(dbus.service
3381
.Object):
2765
3382
exclude.add(name)
2766
3383
2767
3384
client_dict["encrypted_secret"] = (client
2768
3385
.encrypted_secret)
2769
3386
for attr in client.client_structure:
2770
3387
if attr not in exclude:
2771
3388
client_dict[attr] = getattr(client, attr)
2772
3389
2773
3390
clients[client.name] = client_dict
2774
3391
del client_settings[client.name]["secret"]
2775
3392
2776
3393
try:
2777
with (tempfile.NamedTemporaryFile
2778
(mode='wb', suffix=".pickle", prefix='clients-',
2779
dir=os.path.dirname(stored_state_path),
2780
delete=False)) as stored_state:
2781
pickle.dump((clients, client_settings), stored_state)
2782
tempname=stored_state.name
3394
with tempfile.NamedTemporaryFile(
3395
mode='wb',
3396
suffix=".pickle",
3397
prefix='clients-',
3398
dir=os.path.dirname(stored_state_path),
3399
delete=False) as stored_state:
3400
pickle.dump((clients, client_settings), stored_state,
3401
protocol=2)
3402
tempname = stored_state.name
2783
3403
os.rename(tempname, stored_state_path)
2784
3404
except (IOError, OSError) as e:
2785
3405
if not debug:
2788
3408
except NameError:
2789
3409
pass
2790
3410
if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):
2791
logger.warning("Could not save persistent state: {0}"
3411
logger.warning("Could not save persistent state: {}"
2792
3412
.format(os.strerror(e.errno)))
2793
3413
else:
2794
3414
logger.warning("Could not save persistent state:",
2795
3415
exc_info=e)
2796
3416
raise
2797
3417
2798
3418
# Delete all clients, and settings from config
2799
3419
while tcp_server.clients:
2800
3420
name, client = tcp_server.clients.popitem()
2801
3421
if use_dbus:
2802
3422
client.remove_from_connection()
2803
# Don't signal anything except ClientRemoved
3423
# Don't signal the disabling
2804
3424
client.disable(quiet=True)
3425
# Emit D-Bus signal for removal
2805
3426
if use_dbus:
2806
# Emit D-Bus signal
2807
mandos_dbus_service.ClientRemoved(client
2808
.dbus_object_path,
2809
client.name)
3427
mandos_dbus_service.client_removed_signal(client)
2810
3428
client_settings.clear()
2811
3429
2812
3430
atexit.register(cleanup)
2813
2814
for client in tcp_server.clients.itervalues():
3431
3432
for client in tcp_server.clients.values():
2815
3433
if use_dbus:
2816
# Emit D-Bus signal
2817
mandos_dbus_service.ClientAdded(client.dbus_object_path)
3434
# Emit D-Bus signal for adding
3435
mandos_dbus_service.client_added_signal(client)
2818
3436
# Need to initiate checking of clients
2819
3437
if client.enabled:
2820
3438
client.init_checker()
2821
3439
2822
3440
tcp_server.enable()
2823
3441
tcp_server.server_activate()
2824
3442
2825
3443
# Find out what port we got
2826
service.port = tcp_server.socket.getsockname()[1]
3444
if zeroconf:
3445
service.port = tcp_server.socket.getsockname()[1]
2827
3446
if use_ipv6:
2828
3447
logger.info("Now listening on address %r, port %d,"
2829
3448
" flowinfo %d, scope_id %d",
2831
3450
else: # IPv4
2832
3451
logger.info("Now listening on address %r, port %d",
2833
3452
*tcp_server.socket.getsockname())
2834
2835
#service.interface = tcp_server.socket.getsockname()[3]
2836
3453
3454
# service.interface = tcp_server.socket.getsockname()[3]
3455
2837
3456
try:
2838
# From the Avahi example code
2839
try:
2840
service.activate()
2841
except dbus.exceptions.DBusException as error:
2842
logger.critical("D-Bus Exception", exc_info=error)
2843
cleanup()
2844
sys.exit(1)
2845
# End of Avahi example code
2846
2847
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
2848
lambda *args, **kwargs:
2849
(tcp_server.handle_request
2850
(*args[2:], **kwargs) or True))
2851
3457
if zeroconf:
3458
# From the Avahi example code
3459
try:
3460
service.activate()
3461
except dbus.exceptions.DBusException as error:
3462
logger.critical("D-Bus Exception", exc_info=error)
3463
cleanup()
3464
sys.exit(1)
3465
# End of Avahi example code
3466
3467
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3468
lambda *args, **kwargs:
3469
(tcp_server.handle_request
3470
(*args[2:], **kwargs) or True))
3471
2852
3472
logger.debug("Starting main loop")
2853
3473
main_loop.run()
2854
3474
except AvahiError as error:
2863
3483
# Must run before the D-Bus bus name gets deregistered
2864
3484
cleanup()
2865
3485
3486
2866
3487
if __name__ == '__main__':
2867
3488
main()
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0