To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 875
- compare with another revision
- download diff
- download tarball
- view history from revision 875
- Committer: Teddy Hogeborn
- Date: 2016-08-26 18:44:21 UTC
- Revision ID: teddy@recompile.se-20160826184421-gjqjgzxy3lupx9n3
Fix bug where mandos server could not find GnuTLS library
* mandos (GnuTLS): Try to find both "gnutls" and variant name
"gnutls-deb0", for a Debian Jessie system which
does not have the package "gnutls28-dev" installed.
* mandos (GnuTLS): Try to find both "gnutls" and variant name
"gnutls-deb0", for a Debian Jessie system which
does not have the package "gnutls28-dev" installed.
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
14
# Copyright © 2008-2016 Teddy Hogeborn
15
# Copyright © 2008-2016 Björn Påhlsson
16
#
17
17
# This program is free software: you can redistribute it and/or modify
18
18
# it under the terms of the GNU General Public License as published by
19
19
# the Free Software Foundation, either version 3 of the License, or
23
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
24
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
25
# GNU General Public License for more details.
26
#
26
#
27
27
# You should have received a copy of the GNU General Public License
28
28
# along with this program. If not, see
29
29
# <http://www.gnu.org/licenses/>.
30
#
30
#
31
31
# Contact the authors at <mandos@recompile.se>.
32
#
32
#
33
33
34
34
from __future__ import (division, absolute_import, print_function,
35
35
unicode_literals)
36
36
37
from future_builtins import *
37
try:
38
from future_builtins import *
39
except ImportError:
40
pass
38
41
39
42
try:
40
43
import SocketServer as socketserver
44
47
import argparse
45
48
import datetime
46
49
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
50
try:
54
51
import ConfigParser as configparser
55
52
except ImportError:
82
79
83
80
import dbus
84
81
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
82
from gi.repository import GLib
90
83
from dbus.mainloop.glib import DBusGMainLoop
91
84
import ctypes
92
85
import ctypes.util
93
86
import xml.dom.minidom
94
87
import inspect
95
88
89
# Try to find the value of SO_BINDTODEVICE:
96
90
try:
91
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
92
# newer, and it is also the most natural place for it:
97
93
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
94
except AttributeError:
99
95
try:
96
# This is where SO_BINDTODEVICE was up to and including Python
97
# 2.6, and also 3.2:
100
98
from IN import SO_BINDTODEVICE
101
99
except ImportError:
102
SO_BINDTODEVICE = None
100
# In Python 2.7 it seems to have been removed entirely.
101
# Try running the C preprocessor:
102
try:
103
cc = subprocess.Popen(["cc", "--language=c", "-E",
104
"/dev/stdin"],
105
stdin=subprocess.PIPE,
106
stdout=subprocess.PIPE)
107
stdout = cc.communicate(
108
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
109
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
110
except (OSError, ValueError, IndexError):
111
# No value found
112
SO_BINDTODEVICE = None
103
113
104
114
if sys.version_info.major == 2:
105
115
str = unicode
106
116
107
version = "1.7.1"
117
version = "1.7.10"
108
118
stored_state_file = "clients.pickle"
109
119
110
120
logger = logging.getLogger()
114
124
if_nametoindex = ctypes.cdll.LoadLibrary(
115
125
ctypes.util.find_library("c")).if_nametoindex
116
126
except (OSError, AttributeError):
117
127
118
128
def if_nametoindex(interface):
119
129
"Get an interface index the hard way, i.e. using fcntl()"
120
130
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
135
return interface_index
126
136
127
137
138
def copy_function(func):
139
"""Make a copy of a function"""
140
if sys.version_info.major == 2:
141
return types.FunctionType(func.func_code,
142
func.func_globals,
143
func.func_name,
144
func.func_defaults,
145
func.func_closure)
146
else:
147
return types.FunctionType(func.__code__,
148
func.__globals__,
149
func.__name__,
150
func.__defaults__,
151
func.__closure__)
152
153
128
154
def initlogger(debug, level=logging.WARNING):
129
155
"""init logger and add loglevel"""
130
156
131
157
global syslogger
132
158
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
159
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
160
address="/dev/log"))
135
161
syslogger.setFormatter(logging.Formatter
136
162
('Mandos [%(process)d]: %(levelname)s:'
137
163
' %(message)s'))
138
164
logger.addHandler(syslogger)
139
165
140
166
if debug:
141
167
console = logging.StreamHandler()
142
168
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
154
180
155
181
class PGPEngine(object):
156
182
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
183
158
184
def __init__(self):
159
185
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
186
self.gpg = "gpg"
187
try:
188
output = subprocess.check_output(["gpgconf"])
189
for line in output.splitlines():
190
name, text, path = line.split(b":")
191
if name == "gpg":
192
self.gpg = path
193
break
194
except OSError as e:
195
if e.errno != errno.ENOENT:
196
raise
160
197
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
198
'--homedir', self.tempdir,
162
199
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
200
'--quiet']
201
# Only GPG version 1 has the --no-use-agent option.
202
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
203
self.gnupgargs.append("--no-use-agent")
204
166
205
def __enter__(self):
167
206
return self
168
207
169
208
def __exit__(self, exc_type, exc_value, traceback):
170
209
self._cleanup()
171
210
return False
172
211
173
212
def __del__(self):
174
213
self._cleanup()
175
214
176
215
def _cleanup(self):
177
216
if self.tempdir is not None:
178
217
# Delete contents of tempdir
179
218
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
219
topdown=False):
181
220
for filename in files:
182
221
os.remove(os.path.join(root, filename))
183
222
for dirname in dirs:
185
224
# Remove tempdir
186
225
os.rmdir(self.tempdir)
187
226
self.tempdir = None
188
227
189
228
def password_encode(self, password):
190
229
# Passphrase can not be empty and can not contain newlines or
191
230
# NUL bytes. So we prefix it and hex encode it.
196
235
.replace(b"\n", b"\\n")
197
236
.replace(b"\0", b"\\x00"))
198
237
return encoded
199
238
200
239
def encrypt(self, data, password):
201
240
passphrase = self.password_encode(password)
202
241
with tempfile.NamedTemporaryFile(
203
242
dir=self.tempdir) as passfile:
204
243
passfile.write(passphrase)
205
244
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
245
proc = subprocess.Popen([self.gpg, '--symmetric',
207
246
'--passphrase-file',
208
247
passfile.name]
209
248
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
249
stdin=subprocess.PIPE,
250
stdout=subprocess.PIPE,
251
stderr=subprocess.PIPE)
252
ciphertext, err = proc.communicate(input=data)
214
253
if proc.returncode != 0:
215
254
raise PGPError(err)
216
255
return ciphertext
217
256
218
257
def decrypt(self, data, password):
219
258
passphrase = self.password_encode(password)
220
259
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
260
dir=self.tempdir) as passfile:
222
261
passfile.write(passphrase)
223
262
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
263
proc = subprocess.Popen([self.gpg, '--decrypt',
225
264
'--passphrase-file',
226
265
passfile.name]
227
266
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
267
stdin=subprocess.PIPE,
268
stdout=subprocess.PIPE,
269
stderr=subprocess.PIPE)
270
decrypted_plaintext, err = proc.communicate(input=data)
232
271
if proc.returncode != 0:
233
272
raise PGPError(err)
234
273
return decrypted_plaintext
235
274
236
275
276
# Pretend that we have an Avahi module
277
class Avahi(object):
278
"""This isn't so much a class as it is a module-like namespace.
279
It is instantiated once, and simulates having an Avahi module."""
280
IF_UNSPEC = -1 # avahi-common/address.h
281
PROTO_UNSPEC = -1 # avahi-common/address.h
282
PROTO_INET = 0 # avahi-common/address.h
283
PROTO_INET6 = 1 # avahi-common/address.h
284
DBUS_NAME = "org.freedesktop.Avahi"
285
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
286
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
287
DBUS_PATH_SERVER = "/"
288
289
def string_array_to_txt_array(self, t):
290
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
291
for s in t), signature="ay")
292
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
293
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
294
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
295
SERVER_INVALID = 0 # avahi-common/defs.h
296
SERVER_REGISTERING = 1 # avahi-common/defs.h
297
SERVER_RUNNING = 2 # avahi-common/defs.h
298
SERVER_COLLISION = 3 # avahi-common/defs.h
299
SERVER_FAILURE = 4 # avahi-common/defs.h
300
avahi = Avahi()
301
302
237
303
class AvahiError(Exception):
238
304
def __init__(self, value, *args, **kwargs):
239
305
self.value = value
251
317
252
318
class AvahiService(object):
253
319
"""An Avahi (Zeroconf) service.
254
320
255
321
Attributes:
256
322
interface: integer; avahi.IF_UNSPEC or an interface index.
257
323
Used to optionally bind to the specified interface.
269
335
server: D-Bus Server
270
336
bus: dbus.SystemBus()
271
337
"""
272
338
273
339
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
340
interface=avahi.IF_UNSPEC,
341
name=None,
342
servicetype=None,
343
port=None,
344
TXT=None,
345
domain="",
346
host="",
347
max_renames=32768,
348
protocol=avahi.PROTO_UNSPEC,
349
bus=None):
284
350
self.interface = interface
285
351
self.name = name
286
352
self.type = servicetype
295
361
self.server = None
296
362
self.bus = bus
297
363
self.entry_group_state_changed_match = None
298
364
299
365
def rename(self, remove=True):
300
366
"""Derived from the Avahi example code"""
301
367
if self.rename_count >= self.max_renames:
321
387
logger.critical("D-Bus Exception", exc_info=error)
322
388
self.cleanup()
323
389
os._exit(1)
324
390
325
391
def remove(self):
326
392
"""Derived from the Avahi example code"""
327
393
if self.entry_group_state_changed_match is not None:
329
395
self.entry_group_state_changed_match = None
330
396
if self.group is not None:
331
397
self.group.Reset()
332
398
333
399
def add(self):
334
400
"""Derived from the Avahi example code"""
335
401
self.remove()
352
418
dbus.UInt16(self.port),
353
419
avahi.string_array_to_txt_array(self.TXT))
354
420
self.group.Commit()
355
421
356
422
def entry_group_state_changed(self, state, error):
357
423
"""Derived from the Avahi example code"""
358
424
logger.debug("Avahi entry group state change: %i", state)
359
425
360
426
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
427
logger.debug("Zeroconf service established.")
362
428
elif state == avahi.ENTRY_GROUP_COLLISION:
366
432
logger.critical("Avahi: Error in group state changed %s",
367
433
str(error))
368
434
raise AvahiGroupError("State changed: {!s}".format(error))
369
435
370
436
def cleanup(self):
371
437
"""Derived from the Avahi example code"""
372
438
if self.group is not None:
377
443
pass
378
444
self.group = None
379
445
self.remove()
380
446
381
447
def server_state_changed(self, state, error=None):
382
448
"""Derived from the Avahi example code"""
383
449
logger.debug("Avahi server state change: %i", state)
412
478
logger.debug("Unknown state: %r", state)
413
479
else:
414
480
logger.debug("Unknown state: %r: %r", state, error)
415
481
416
482
def activate(self):
417
483
"""Derived from the Avahi example code"""
418
484
if self.server is None:
435
501
.format(self.name)))
436
502
return ret
437
503
504
505
# Pretend that we have a GnuTLS module
506
class GnuTLS(object):
507
"""This isn't so much a class as it is a module-like namespace.
508
It is instantiated once, and simulates having a GnuTLS module."""
509
510
library = ctypes.util.find_library("gnutls")
511
if library is None:
512
library = ctypes.util.find_library("gnutls-deb0")
513
_library = ctypes.cdll.LoadLibrary(library)
514
del library
515
_need_version = b"3.3.0"
516
517
def __init__(self):
518
# Need to use class name "GnuTLS" here, since this method is
519
# called before the assignment to the "gnutls" global variable
520
# happens.
521
if GnuTLS.check_version(self._need_version) is None:
522
raise GnuTLS.Error("Needs GnuTLS {} or later"
523
.format(self._need_version))
524
525
# Unless otherwise indicated, the constants and types below are
526
# all from the gnutls/gnutls.h C header file.
527
528
# Constants
529
E_SUCCESS = 0
530
E_INTERRUPTED = -52
531
E_AGAIN = -28
532
CRT_OPENPGP = 2
533
CLIENT = 2
534
SHUT_RDWR = 0
535
CRD_CERTIFICATE = 1
536
E_NO_CERTIFICATE_FOUND = -49
537
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
538
539
# Types
540
class session_int(ctypes.Structure):
541
_fields_ = []
542
session_t = ctypes.POINTER(session_int)
543
544
class certificate_credentials_st(ctypes.Structure):
545
_fields_ = []
546
certificate_credentials_t = ctypes.POINTER(
547
certificate_credentials_st)
548
certificate_type_t = ctypes.c_int
549
550
class datum_t(ctypes.Structure):
551
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
552
('size', ctypes.c_uint)]
553
554
class openpgp_crt_int(ctypes.Structure):
555
_fields_ = []
556
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
557
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
558
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
559
credentials_type_t = ctypes.c_int
560
transport_ptr_t = ctypes.c_void_p
561
close_request_t = ctypes.c_int
562
563
# Exceptions
564
class Error(Exception):
565
# We need to use the class name "GnuTLS" here, since this
566
# exception might be raised from within GnuTLS.__init__,
567
# which is called before the assignment to the "gnutls"
568
# global variable has happened.
569
def __init__(self, message=None, code=None, args=()):
570
# Default usage is by a message string, but if a return
571
# code is passed, convert it to a string with
572
# gnutls.strerror()
573
self.code = code
574
if message is None and code is not None:
575
message = GnuTLS.strerror(code)
576
return super(GnuTLS.Error, self).__init__(
577
message, *args)
578
579
class CertificateSecurityError(Error):
580
pass
581
582
# Classes
583
class Credentials(object):
584
def __init__(self):
585
self._c_object = gnutls.certificate_credentials_t()
586
gnutls.certificate_allocate_credentials(
587
ctypes.byref(self._c_object))
588
self.type = gnutls.CRD_CERTIFICATE
589
590
def __del__(self):
591
gnutls.certificate_free_credentials(self._c_object)
592
593
class ClientSession(object):
594
def __init__(self, socket, credentials=None):
595
self._c_object = gnutls.session_t()
596
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
597
gnutls.set_default_priority(self._c_object)
598
gnutls.transport_set_ptr(self._c_object, socket.fileno())
599
gnutls.handshake_set_private_extensions(self._c_object,
600
True)
601
self.socket = socket
602
if credentials is None:
603
credentials = gnutls.Credentials()
604
gnutls.credentials_set(self._c_object, credentials.type,
605
ctypes.cast(credentials._c_object,
606
ctypes.c_void_p))
607
self.credentials = credentials
608
609
def __del__(self):
610
gnutls.deinit(self._c_object)
611
612
def handshake(self):
613
return gnutls.handshake(self._c_object)
614
615
def send(self, data):
616
data = bytes(data)
617
data_len = len(data)
618
while data_len > 0:
619
data_len -= gnutls.record_send(self._c_object,
620
data[-data_len:],
621
data_len)
622
623
def bye(self):
624
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
625
626
# Error handling functions
627
def _error_code(result):
628
"""A function to raise exceptions on errors, suitable
629
for the 'restype' attribute on ctypes functions"""
630
if result >= 0:
631
return result
632
if result == gnutls.E_NO_CERTIFICATE_FOUND:
633
raise gnutls.CertificateSecurityError(code=result)
634
raise gnutls.Error(code=result)
635
636
def _retry_on_error(result, func, arguments):
637
"""A function to retry on some errors, suitable
638
for the 'errcheck' attribute on ctypes functions"""
639
while result < 0:
640
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
641
return _error_code(result)
642
result = func(*arguments)
643
return result
644
645
# Unless otherwise indicated, the function declarations below are
646
# all from the gnutls/gnutls.h C header file.
647
648
# Functions
649
priority_set_direct = _library.gnutls_priority_set_direct
650
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
651
ctypes.POINTER(ctypes.c_char_p)]
652
priority_set_direct.restype = _error_code
653
654
init = _library.gnutls_init
655
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
656
init.restype = _error_code
657
658
set_default_priority = _library.gnutls_set_default_priority
659
set_default_priority.argtypes = [session_t]
660
set_default_priority.restype = _error_code
661
662
record_send = _library.gnutls_record_send
663
record_send.argtypes = [session_t, ctypes.c_void_p,
664
ctypes.c_size_t]
665
record_send.restype = ctypes.c_ssize_t
666
record_send.errcheck = _retry_on_error
667
668
certificate_allocate_credentials = (
669
_library.gnutls_certificate_allocate_credentials)
670
certificate_allocate_credentials.argtypes = [
671
ctypes.POINTER(certificate_credentials_t)]
672
certificate_allocate_credentials.restype = _error_code
673
674
certificate_free_credentials = (
675
_library.gnutls_certificate_free_credentials)
676
certificate_free_credentials.argtypes = [
677
certificate_credentials_t]
678
certificate_free_credentials.restype = None
679
680
handshake_set_private_extensions = (
681
_library.gnutls_handshake_set_private_extensions)
682
handshake_set_private_extensions.argtypes = [session_t,
683
ctypes.c_int]
684
handshake_set_private_extensions.restype = None
685
686
credentials_set = _library.gnutls_credentials_set
687
credentials_set.argtypes = [session_t, credentials_type_t,
688
ctypes.c_void_p]
689
credentials_set.restype = _error_code
690
691
strerror = _library.gnutls_strerror
692
strerror.argtypes = [ctypes.c_int]
693
strerror.restype = ctypes.c_char_p
694
695
certificate_type_get = _library.gnutls_certificate_type_get
696
certificate_type_get.argtypes = [session_t]
697
certificate_type_get.restype = _error_code
698
699
certificate_get_peers = _library.gnutls_certificate_get_peers
700
certificate_get_peers.argtypes = [session_t,
701
ctypes.POINTER(ctypes.c_uint)]
702
certificate_get_peers.restype = ctypes.POINTER(datum_t)
703
704
global_set_log_level = _library.gnutls_global_set_log_level
705
global_set_log_level.argtypes = [ctypes.c_int]
706
global_set_log_level.restype = None
707
708
global_set_log_function = _library.gnutls_global_set_log_function
709
global_set_log_function.argtypes = [log_func]
710
global_set_log_function.restype = None
711
712
deinit = _library.gnutls_deinit
713
deinit.argtypes = [session_t]
714
deinit.restype = None
715
716
handshake = _library.gnutls_handshake
717
handshake.argtypes = [session_t]
718
handshake.restype = _error_code
719
handshake.errcheck = _retry_on_error
720
721
transport_set_ptr = _library.gnutls_transport_set_ptr
722
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
723
transport_set_ptr.restype = None
724
725
bye = _library.gnutls_bye
726
bye.argtypes = [session_t, close_request_t]
727
bye.restype = _error_code
728
bye.errcheck = _retry_on_error
729
730
check_version = _library.gnutls_check_version
731
check_version.argtypes = [ctypes.c_char_p]
732
check_version.restype = ctypes.c_char_p
733
734
# All the function declarations below are from gnutls/openpgp.h
735
736
openpgp_crt_init = _library.gnutls_openpgp_crt_init
737
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
738
openpgp_crt_init.restype = _error_code
739
740
openpgp_crt_import = _library.gnutls_openpgp_crt_import
741
openpgp_crt_import.argtypes = [openpgp_crt_t,
742
ctypes.POINTER(datum_t),
743
openpgp_crt_fmt_t]
744
openpgp_crt_import.restype = _error_code
745
746
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
747
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
748
ctypes.POINTER(ctypes.c_uint)]
749
openpgp_crt_verify_self.restype = _error_code
750
751
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
752
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
753
openpgp_crt_deinit.restype = None
754
755
openpgp_crt_get_fingerprint = (
756
_library.gnutls_openpgp_crt_get_fingerprint)
757
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
758
ctypes.c_void_p,
759
ctypes.POINTER(
760
ctypes.c_size_t)]
761
openpgp_crt_get_fingerprint.restype = _error_code
762
763
# Remove non-public functions
764
del _error_code, _retry_on_error
765
# Create the global "gnutls" object, simulating a module
766
gnutls = GnuTLS()
767
768
438
769
def call_pipe(connection, # : multiprocessing.Connection
439
770
func, *args, **kwargs):
440
771
"""This function is meant to be called by multiprocessing.Process
441
772
442
773
This function runs func(*args, **kwargs), and writes the resulting
443
774
return value on the provided multiprocessing.Connection.
444
775
"""
445
776
connection.send(func(*args, **kwargs))
446
777
connection.close()
447
778
779
448
780
class Client(object):
449
781
"""A representation of a client host served by this server.
450
782
451
783
Attributes:
452
784
approved: bool(); 'None' if not yet approved/disapproved
453
785
approval_delay: datetime.timedelta(); Time to wait for approval
455
787
checker: subprocess.Popen(); a running checker process used
456
788
to see if the client lives.
457
789
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
790
checker_callback_tag: a GLib event source tag, or None
459
791
checker_command: string; External command which is run to check
460
792
if client lives. %() expansions are done at
461
793
runtime with vars(self) as dict, so that for
462
794
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
795
checker_initiator_tag: a GLib event source tag, or None
464
796
created: datetime.datetime(); (UTC) object creation
465
797
client_structure: Object describing what attributes a client has
466
798
and is used for storing the client at exit
467
799
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
800
disable_initiator_tag: a GLib event source tag, or None
469
801
enabled: bool()
470
802
fingerprint: string (40 or 32 hexadecimal digits); used to
471
803
uniquely identify the client
490
822
disabled, or None
491
823
server_settings: The server_settings dict from main()
492
824
"""
493
825
494
826
runtime_expansions = ("approval_delay", "approval_duration",
495
827
"created", "enabled", "expires",
496
828
"fingerprint", "host", "interval",
507
839
"approved_by_default": "True",
508
840
"enabled": "True",
509
841
}
510
842
511
843
@staticmethod
512
844
def config_parser(config):
513
845
"""Construct a new dict of client settings of this form:
520
852
for client_name in config.sections():
521
853
section = dict(config.items(client_name))
522
854
client = settings[client_name] = {}
523
855
524
856
client["host"] = section["host"]
525
857
# Reformat values from string types to Python types
526
858
client["approved_by_default"] = config.getboolean(
527
859
client_name, "approved_by_default")
528
860
client["enabled"] = config.getboolean(client_name,
529
861
"enabled")
530
862
531
863
# Uppercase and remove spaces from fingerprint for later
532
864
# comparison purposes with return value from the
533
865
# fingerprint() function
534
866
client["fingerprint"] = (section["fingerprint"].upper()
535
867
.replace(" ", ""))
536
868
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
869
client["secret"] = codecs.decode(section["secret"]
870
.encode("utf-8"),
871
"base64")
538
872
elif "secfile" in section:
539
873
with open(os.path.expanduser(os.path.expandvars
540
874
(section["secfile"])),
555
889
client["last_approval_request"] = None
556
890
client["last_checked_ok"] = None
557
891
client["last_checker_status"] = -2
558
892
559
893
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
894
895
def __init__(self, settings, name=None, server_settings=None):
562
896
self.name = name
563
897
if server_settings is None:
564
898
server_settings = {}
566
900
# adding all client settings
567
901
for setting, value in settings.items():
568
902
setattr(self, setting, value)
569
903
570
904
if self.enabled:
571
905
if not hasattr(self, "last_enabled"):
572
906
self.last_enabled = datetime.datetime.utcnow()
576
910
else:
577
911
self.last_enabled = None
578
912
self.expires = None
579
913
580
914
logger.debug("Creating client %r", self.name)
581
915
logger.debug(" Fingerprint: %s", self.fingerprint)
582
916
self.created = settings.get("created",
583
917
datetime.datetime.utcnow())
584
918
585
919
# attributes specific for this server instance
586
920
self.checker = None
587
921
self.checker_initiator_tag = None
593
927
self.changedstate = multiprocessing_manager.Condition(
594
928
multiprocessing_manager.Lock())
595
929
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
930
for attr in self.__dict__.keys()
597
931
if not attr.startswith("_")]
598
932
self.client_structure.append("client_structure")
599
933
600
934
for name, t in inspect.getmembers(
601
935
type(self), lambda obj: isinstance(obj, property)):
602
936
if not name.startswith("_"):
603
937
self.client_structure.append(name)
604
938
605
939
# Send notice to process children that client state has changed
606
940
def send_changedstate(self):
607
941
with self.changedstate:
608
942
self.changedstate.notify_all()
609
943
610
944
def enable(self):
611
945
"""Start this client's checker and timeout hooks"""
612
946
if getattr(self, "enabled", False):
617
951
self.last_enabled = datetime.datetime.utcnow()
618
952
self.init_checker()
619
953
self.send_changedstate()
620
954
621
955
def disable(self, quiet=True):
622
956
"""Disable this client."""
623
957
if not getattr(self, "enabled", False):
625
959
if not quiet:
626
960
logger.info("Disabling client %s", self.name)
627
961
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
962
GLib.source_remove(self.disable_initiator_tag)
629
963
self.disable_initiator_tag = None
630
964
self.expires = None
631
965
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
966
GLib.source_remove(self.checker_initiator_tag)
633
967
self.checker_initiator_tag = None
634
968
self.stop_checker()
635
969
self.enabled = False
636
970
if not quiet:
637
971
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
972
# Do not run this again if called by a GLib.timeout_add
639
973
return False
640
974
641
975
def __del__(self):
642
976
self.disable()
643
977
644
978
def init_checker(self):
645
979
# Schedule a new checker to be started an 'interval' from now,
646
980
# and every interval from then on.
647
981
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
982
GLib.source_remove(self.checker_initiator_tag)
983
self.checker_initiator_tag = GLib.timeout_add(
650
984
int(self.interval.total_seconds() * 1000),
651
985
self.start_checker)
652
986
# Schedule a disable() when 'timeout' has passed
653
987
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
988
GLib.source_remove(self.disable_initiator_tag)
989
self.disable_initiator_tag = GLib.timeout_add(
656
990
int(self.timeout.total_seconds() * 1000), self.disable)
657
991
# Also start a new checker *right now*.
658
992
self.start_checker()
659
993
660
994
def checker_callback(self, source, condition, connection,
661
995
command):
662
996
"""The checker has completed, so take appropriate actions."""
665
999
# Read return code from connection (see call_pipe)
666
1000
returncode = connection.recv()
667
1001
connection.close()
668
1002
669
1003
if returncode >= 0:
670
1004
self.last_checker_status = returncode
671
1005
self.last_checker_signal = None
681
1015
logger.warning("Checker for %(name)s crashed?",
682
1016
vars(self))
683
1017
return False
684
1018
685
1019
def checked_ok(self):
686
1020
"""Assert that the client has been seen, alive and well."""
687
1021
self.last_checked_ok = datetime.datetime.utcnow()
688
1022
self.last_checker_status = 0
689
1023
self.last_checker_signal = None
690
1024
self.bump_timeout()
691
1025
692
1026
def bump_timeout(self, timeout=None):
693
1027
"""Bump up the timeout for this client."""
694
1028
if timeout is None:
695
1029
timeout = self.timeout
696
1030
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1031
GLib.source_remove(self.disable_initiator_tag)
698
1032
self.disable_initiator_tag = None
699
1033
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1034
self.disable_initiator_tag = GLib.timeout_add(
701
1035
int(timeout.total_seconds() * 1000), self.disable)
702
1036
self.expires = datetime.datetime.utcnow() + timeout
703
1037
704
1038
def need_approval(self):
705
1039
self.last_approval_request = datetime.datetime.utcnow()
706
1040
707
1041
def start_checker(self):
708
1042
"""Start a new checker subprocess if one is not running.
709
1043
710
1044
If a checker already exists, leave it running and do
711
1045
nothing."""
712
1046
# The reason for not killing a running checker is that if we
717
1051
# checkers alone, the checker would have to take more time
718
1052
# than 'timeout' for the client to be disabled, which is as it
719
1053
# should be.
720
1054
721
1055
if self.checker is not None and not self.checker.is_alive():
722
1056
logger.warning("Checker was not alive; joining")
723
1057
self.checker.join()
727
1061
# Escape attributes for the shell
728
1062
escaped_attrs = {
729
1063
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1064
for attr in self.runtime_expansions}
731
1065
try:
732
1066
command = self.checker_command % escaped_attrs
733
1067
except TypeError as error:
745
1079
# The exception is when not debugging but nevertheless
746
1080
# running in the foreground; use the previously
747
1081
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1082
popen_args = {"close_fds": True,
1083
"shell": True,
1084
"cwd": "/"}
751
1085
if (not self.server_settings["debug"]
752
1086
and self.server_settings["foreground"]):
753
1087
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1088
"stderr": wnull})
1089
pipe = multiprocessing.Pipe(duplex=False)
756
1090
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1091
target=call_pipe,
1092
args=(pipe[1], subprocess.call, command),
1093
kwargs=popen_args)
760
1094
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1095
self.checker_callback_tag = GLib.io_add_watch(
1096
pipe[0].fileno(), GLib.IO_IN,
763
1097
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1098
# Re-run this periodically if run by GLib.timeout_add
765
1099
return True
766
1100
767
1101
def stop_checker(self):
768
1102
"""Force the checker process, if any, to stop."""
769
1103
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1104
GLib.source_remove(self.checker_callback_tag)
771
1105
self.checker_callback_tag = None
772
1106
if getattr(self, "checker", None) is None:
773
1107
return
782
1116
byte_arrays=False):
783
1117
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1118
become properties on the D-Bus.
785
1119
786
1120
The decorated method will be called with no arguments by "Get"
787
1121
and with one argument by "Set".
788
1122
789
1123
The parameters, where they are supported, are the same as
790
1124
dbus.service.method, except there is only "signature", since the
791
1125
type from Get() and the type sent to Set() is the same.
795
1129
if byte_arrays and signature != "ay":
796
1130
raise ValueError("Byte arrays not supported for non-'ay'"
797
1131
" signature {!r}".format(signature))
798
1132
799
1133
def decorator(func):
800
1134
func._dbus_is_property = True
801
1135
func._dbus_interface = dbus_interface
804
1138
func._dbus_name = func.__name__
805
1139
if func._dbus_name.endswith("_dbus_property"):
806
1140
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1141
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1142
return func
809
1143
810
1144
return decorator
811
1145
812
1146
813
1147
def dbus_interface_annotations(dbus_interface):
814
1148
"""Decorator for marking functions returning interface annotations
815
1149
816
1150
Usage:
817
1151
818
1152
@dbus_interface_annotations("org.example.Interface")
819
1153
def _foo(self): # Function name does not matter
820
1154
return {"org.freedesktop.DBus.Deprecated": "true",
821
1155
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1156
"false"}
823
1157
"""
824
1158
825
1159
def decorator(func):
826
1160
func._dbus_is_interface = True
827
1161
func._dbus_interface = dbus_interface
828
1162
func._dbus_name = dbus_interface
829
1163
return func
830
1164
831
1165
return decorator
832
1166
833
1167
834
1168
def dbus_annotations(annotations):
835
1169
"""Decorator to annotate D-Bus methods, signals or properties
836
1170
Usage:
837
1171
838
1172
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1173
"org.freedesktop.DBus.Property."
840
1174
"EmitsChangedSignal": "false"})
842
1176
access="r")
843
1177
def Property_dbus_property(self):
844
1178
return dbus.Boolean(False)
845
1179
846
1180
See also the DBusObjectWithAnnotations class.
847
1181
"""
848
1182
849
1183
def decorator(func):
850
1184
func._dbus_annotations = annotations
851
1185
return func
852
1186
853
1187
return decorator
854
1188
855
1189
873
1207
874
1208
class DBusObjectWithAnnotations(dbus.service.Object):
875
1209
"""A D-Bus object with annotations.
876
1210
877
1211
Classes inheriting from this can use the dbus_annotations
878
1212
decorator to add annotations to methods or signals.
879
1213
"""
880
1214
881
1215
@staticmethod
882
1216
def _is_dbus_thing(thing):
883
1217
"""Returns a function testing if an attribute is a D-Bus thing
884
1218
885
1219
If called like _is_dbus_thing("method") it returns a function
886
1220
suitable for use as predicate to inspect.getmembers().
887
1221
"""
888
1222
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1223
False)
890
1224
891
1225
def _get_all_dbus_things(self, thing):
892
1226
"""Returns a generator of (name, attribute) pairs
893
1227
"""
896
1230
for cls in self.__class__.__mro__
897
1231
for name, athing in
898
1232
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1233
900
1234
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1235
out_signature="s",
1236
path_keyword='object_path',
1237
connection_keyword='connection')
904
1238
def Introspect(self, object_path, connection):
905
1239
"""Overloading of standard D-Bus method.
906
1240
907
1241
Inserts annotation tags on methods and signals.
908
1242
"""
909
1243
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1244
connection)
911
1245
try:
912
1246
document = xml.dom.minidom.parseString(xmlstring)
913
1247
914
1248
for if_tag in document.getElementsByTagName("interface"):
915
1249
# Add annotation tags
916
1250
for typ in ("method", "signal"):
943
1277
if_tag.appendChild(ann_tag)
944
1278
# Fix argument name for the Introspect method itself
945
1279
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1280
== dbus.INTROSPECTABLE_IFACE):
947
1281
for cn in if_tag.getElementsByTagName("method"):
948
1282
if cn.getAttribute("name") == "Introspect":
949
1283
for arg in cn.getElementsByTagName("arg"):
962
1296
963
1297
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1298
"""A D-Bus object with properties.
965
1299
966
1300
Classes inheriting from this can use the dbus_service_property
967
1301
decorator to expose methods as D-Bus properties. It exposes the
968
1302
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1303
"""
970
1304
971
1305
def _get_dbus_property(self, interface_name, property_name):
972
1306
"""Returns a bound method if one exists which is a D-Bus
973
1307
property with the specified name and interface.
978
1312
if (value._dbus_name == property_name
979
1313
and value._dbus_interface == interface_name):
980
1314
return value.__get__(self)
981
1315
982
1316
# No such property
983
1317
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1318
self.dbus_object_path, interface_name, property_name))
985
1319
986
1320
@classmethod
987
1321
def _get_all_interface_names(cls):
988
1322
"""Get a sequence of all interfaces supported by an object"""
991
1325
for x in (inspect.getmro(cls))
992
1326
for attr in dir(x))
993
1327
if name is not None)
994
1328
995
1329
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1330
in_signature="ss",
997
1331
out_signature="v")
1005
1339
if not hasattr(value, "variant_level"):
1006
1340
return value
1007
1341
return type(value)(value, variant_level=value.variant_level+1)
1008
1342
1009
1343
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1344
def Set(self, interface_name, property_name, value):
1011
1345
"""Standard D-Bus property Set() method, see D-Bus standard.
1023
1357
value = dbus.ByteArray(b''.join(chr(byte)
1024
1358
for byte in value))
1025
1359
prop(value)
1026
1360
1027
1361
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1362
in_signature="s",
1029
1363
out_signature="a{sv}")
1030
1364
def GetAll(self, interface_name):
1031
1365
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1366
standard.
1033
1367
1034
1368
Note: Will not include properties with access="write".
1035
1369
"""
1036
1370
properties = {}
1047
1381
properties[name] = value
1048
1382
continue
1049
1383
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1384
value, variant_level=value.variant_level + 1)
1051
1385
return dbus.Dictionary(properties, signature="sv")
1052
1386
1053
1387
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1388
def PropertiesChanged(self, interface_name, changed_properties,
1055
1389
invalidated_properties):
1057
1391
standard.
1058
1392
"""
1059
1393
pass
1060
1394
1061
1395
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1396
out_signature="s",
1063
1397
path_keyword='object_path',
1064
1398
connection_keyword='connection')
1065
1399
def Introspect(self, object_path, connection):
1066
1400
"""Overloading of standard D-Bus method.
1067
1401
1068
1402
Inserts property tags and interface annotation tags.
1069
1403
"""
1070
1404
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1406
connection)
1073
1407
try:
1074
1408
document = xml.dom.minidom.parseString(xmlstring)
1075
1409
1076
1410
def make_tag(document, name, prop):
1077
1411
e = document.createElement("property")
1078
1412
e.setAttribute("name", name)
1079
1413
e.setAttribute("type", prop._dbus_signature)
1080
1414
e.setAttribute("access", prop._dbus_access)
1081
1415
return e
1082
1416
1083
1417
for if_tag in document.getElementsByTagName("interface"):
1084
1418
# Add property tags
1085
1419
for tag in (make_tag(document, name, prop)
1132
1466
except AttributeError:
1133
1467
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1468
1469
1135
1470
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1471
"""A D-Bus object with an ObjectManager.
1137
1472
1138
1473
Classes inheriting from this exposes the standard
1139
1474
GetManagedObjects call and the InterfacesAdded and
1140
1475
InterfacesRemoved signals on the standard
1141
1476
"org.freedesktop.DBus.ObjectManager" interface.
1142
1477
1143
1478
Note: No signals are sent automatically; they must be sent
1144
1479
manually.
1145
1480
"""
1146
1481
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1482
out_signature="a{oa{sa{sv}}}")
1148
1483
def GetManagedObjects(self):
1149
1484
"""This function must be overridden"""
1150
1485
raise NotImplementedError()
1151
1486
1152
1487
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1488
signature="oa{sa{sv}}")
1154
1489
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1490
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1491
1492
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1493
def InterfacesRemoved(self, object_path, interfaces):
1159
1494
pass
1160
1495
1161
1496
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1497
out_signature="s",
1498
path_keyword='object_path',
1499
connection_keyword='connection')
1165
1500
def Introspect(self, object_path, connection):
1166
1501
"""Overloading of standard D-Bus method.
1167
1502
1168
1503
Override return argument name of GetManagedObjects to be
1169
1504
"objpath_interfaces_and_properties"
1170
1505
"""
1173
1508
connection)
1174
1509
try:
1175
1510
document = xml.dom.minidom.parseString(xmlstring)
1176
1511
1177
1512
for if_tag in document.getElementsByTagName("interface"):
1178
1513
# Fix argument name for the GetManagedObjects method
1179
1514
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1515
== dbus.OBJECT_MANAGER_IFACE):
1181
1516
for cn in if_tag.getElementsByTagName("method"):
1182
1517
if (cn.getAttribute("name")
1183
1518
== "GetManagedObjects"):
1193
1528
except (AttributeError, xml.dom.DOMException,
1194
1529
xml.parsers.expat.ExpatError) as error:
1195
1530
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1531
exc_info=error)
1197
1532
return xmlstring
1198
1533
1534
1199
1535
def datetime_to_dbus(dt, variant_level=0):
1200
1536
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1537
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1538
return dbus.String("", variant_level=variant_level)
1203
1539
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1540
1205
1541
1208
1544
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1545
interface names according to the "alt_interface_names" mapping.
1210
1546
Usage:
1211
1547
1212
1548
@alternate_dbus_interfaces({"org.example.Interface":
1213
1549
"net.example.AlternateInterface"})
1214
1550
class SampleDBusObject(dbus.service.Object):
1215
1551
@dbus.service.method("org.example.Interface")
1216
1552
def SampleDBusMethod():
1217
1553
pass
1218
1554
1219
1555
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1556
reachable via two interfaces: "org.example.Interface" and
1221
1557
"net.example.AlternateInterface", the latter of which will have
1222
1558
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1559
"true", unless "deprecate" is passed with a False value.
1224
1560
1225
1561
This works for methods and signals, and also for D-Bus properties
1226
1562
(from DBusObjectWithProperties) and interfaces (from the
1227
1563
dbus_interface_annotations decorator).
1228
1564
"""
1229
1565
1230
1566
def wrapper(cls):
1231
1567
for orig_interface_name, alt_interface_name in (
1232
1568
alt_interface_names.items()):
1247
1583
interface_names.add(alt_interface)
1248
1584
# Is this a D-Bus signal?
1249
1585
if getattr(attribute, "_dbus_is_signal", False):
1586
# Extract the original non-method undecorated
1587
# function by black magic
1250
1588
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1589
nonmethod_func = (dict(
1254
1590
zip(attribute.func_code.co_freevars,
1255
1591
attribute.__closure__))
1256
1592
["func"].cell_contents)
1257
1593
else:
1258
nonmethod_func = attribute
1594
nonmethod_func = (dict(
1595
zip(attribute.__code__.co_freevars,
1596
attribute.__closure__))
1597
["func"].cell_contents)
1259
1598
# Create a new, but exactly alike, function
1260
1599
# object, and decorate it to be a new D-Bus signal
1261
1600
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1601
new_function = copy_function(nonmethod_func)
1276
1602
new_function = (dbus.service.signal(
1277
1603
alt_interface,
1278
1604
attribute._dbus_signature)(new_function))
1282
1608
attribute._dbus_annotations)
1283
1609
except AttributeError:
1284
1610
pass
1611
1285
1612
# Define a creator of a function to call both the
1286
1613
# original and alternate functions, so both the
1287
1614
# original and alternate signals gets sent when
1290
1617
"""This function is a scope container to pass
1291
1618
func1 and func2 to the "call_both" function
1292
1619
outside of its arguments"""
1293
1620
1294
1621
@functools.wraps(func2)
1295
1622
def call_both(*args, **kwargs):
1296
1623
"""This function will emit two D-Bus
1297
1624
signals by calling func1 and func2"""
1298
1625
func1(*args, **kwargs)
1299
1626
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1627
# Make wrapper function look like a D-Bus
1628
# signal
1301
1629
for name, attr in inspect.getmembers(func2):
1302
1630
if name.startswith("_dbus_"):
1303
1631
setattr(call_both, name, attr)
1304
1632
1305
1633
return call_both
1306
1634
# Create the "call_both" function and add it to
1307
1635
# the class
1317
1645
alt_interface,
1318
1646
attribute._dbus_in_signature,
1319
1647
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1648
(copy_function(attribute)))
1325
1649
# Copy annotations, if any
1326
1650
try:
1327
1651
attr[attrname]._dbus_annotations = dict(
1339
1663
attribute._dbus_access,
1340
1664
attribute._dbus_get_args_options
1341
1665
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1666
(copy_function(attribute)))
1348
1667
# Copy annotations, if any
1349
1668
try:
1350
1669
attr[attrname]._dbus_annotations = dict(
1359
1678
# to the class.
1360
1679
attr[attrname] = (
1361
1680
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1681
(copy_function(attribute)))
1367
1682
if deprecate:
1368
1683
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1684
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1685
for interface_name in interface_names:
1371
1686
1372
1687
@dbus_interface_annotations(interface_name)
1373
1688
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1689
return {"org.freedesktop.DBus.Deprecated":
1690
"true"}
1376
1691
# Find an unused name
1377
1692
for aname in (iname.format(i)
1378
1693
for i in itertools.count()):
1382
1697
if interface_names:
1383
1698
# Replace the class with a new subclass of it with
1384
1699
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1700
if sys.version_info.major == 2:
1701
cls = type(b"{}Alternate".format(cls.__name__),
1702
(cls, ), attr)
1703
else:
1704
cls = type("{}Alternate".format(cls.__name__),
1705
(cls, ), attr)
1387
1706
return cls
1388
1707
1389
1708
return wrapper
1390
1709
1391
1710
1393
1712
"se.bsnet.fukt.Mandos"})
1394
1713
class ClientDBus(Client, DBusObjectWithProperties):
1395
1714
"""A Client class using D-Bus
1396
1715
1397
1716
Attributes:
1398
1717
dbus_object_path: dbus.ObjectPath
1399
1718
bus: dbus.SystemBus()
1400
1719
"""
1401
1720
1402
1721
runtime_expansions = (Client.runtime_expansions
1403
1722
+ ("dbus_object_path", ))
1404
1723
1405
1724
_interface = "se.recompile.Mandos.Client"
1406
1725
1407
1726
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1727
1728
def __init__(self, bus=None, *args, **kwargs):
1410
1729
self.bus = bus
1411
1730
Client.__init__(self, *args, **kwargs)
1412
1731
# Only now, when this client is initialized, can it show up on
1418
1737
"/clients/" + client_object_name)
1419
1738
DBusObjectWithProperties.__init__(self, self.bus,
1420
1739
self.dbus_object_path)
1421
1740
1422
1741
def notifychangeproperty(transform_func, dbus_name,
1423
1742
type_func=lambda x: x,
1424
1743
variant_level=1,
1426
1745
_interface=_interface):
1427
1746
""" Modify a variable so that it's a property which announces
1428
1747
its changes to DBus.
1429
1748
1430
1749
transform_fun: Function that takes a value and a variant_level
1431
1750
and transforms it to a D-Bus type.
1432
1751
dbus_name: D-Bus name of the variable
1435
1754
variant_level: D-Bus variant level. Default: 1
1436
1755
"""
1437
1756
attrname = "_{}".format(dbus_name)
1438
1757
1439
1758
def setter(self, value):
1440
1759
if hasattr(self, "dbus_object_path"):
1441
1760
if (not hasattr(self, attrname) or
1448
1767
else:
1449
1768
dbus_value = transform_func(
1450
1769
type_func(value),
1451
variant_level = variant_level)
1770
variant_level=variant_level)
1452
1771
self.PropertyChanged(dbus.String(dbus_name),
1453
1772
dbus_value)
1454
1773
self.PropertiesChanged(
1455
1774
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1775
dbus.Dictionary({dbus.String(dbus_name):
1776
dbus_value}),
1458
1777
dbus.Array())
1459
1778
setattr(self, attrname, value)
1460
1779
1461
1780
return property(lambda self: getattr(self, attrname), setter)
1462
1781
1463
1782
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1783
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1784
"ApprovalPending",
1466
type_func = bool)
1785
type_func=bool)
1467
1786
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1787
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1788
"LastEnabled")
1470
1789
checker = notifychangeproperty(
1471
1790
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1791
type_func=lambda checker: checker is not None)
1473
1792
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1793
"LastCheckedOK")
1475
1794
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1799
"ApprovedByDefault")
1481
1800
approval_delay = notifychangeproperty(
1482
1801
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1802
type_func=lambda td: td.total_seconds() * 1000)
1484
1803
approval_duration = notifychangeproperty(
1485
1804
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1805
type_func=lambda td: td.total_seconds() * 1000)
1487
1806
host = notifychangeproperty(dbus.String, "Host")
1488
1807
timeout = notifychangeproperty(
1489
1808
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1809
type_func=lambda td: td.total_seconds() * 1000)
1491
1810
extended_timeout = notifychangeproperty(
1492
1811
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1812
type_func=lambda td: td.total_seconds() * 1000)
1494
1813
interval = notifychangeproperty(
1495
1814
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1815
type_func=lambda td: td.total_seconds() * 1000)
1497
1816
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1817
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1818
invalidate_only=True)
1500
1819
1501
1820
del notifychangeproperty
1502
1821
1503
1822
def __del__(self, *args, **kwargs):
1504
1823
try:
1505
1824
self.remove_from_connection()
1508
1827
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1828
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1829
Client.__del__(self, *args, **kwargs)
1511
1830
1512
1831
def checker_callback(self, source, condition,
1513
1832
connection, command, *args, **kwargs):
1514
1833
ret = Client.checker_callback(self, source, condition,
1530
1849
| self.last_checker_signal),
1531
1850
dbus.String(command))
1532
1851
return ret
1533
1852
1534
1853
def start_checker(self, *args, **kwargs):
1535
1854
old_checker_pid = getattr(self.checker, "pid", None)
1536
1855
r = Client.start_checker(self, *args, **kwargs)
1540
1859
# Emit D-Bus signal
1541
1860
self.CheckerStarted(self.current_checker_command)
1542
1861
return r
1543
1862
1544
1863
def _reset_approved(self):
1545
1864
self.approved = None
1546
1865
return False
1547
1866
1548
1867
def approve(self, value=True):
1549
1868
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1869
GLib.timeout_add(int(self.approval_duration.total_seconds()
1870
* 1000), self._reset_approved)
1552
1871
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1872
1873
# D-Bus methods, signals & properties
1874
1875
# Interfaces
1876
1877
# Signals
1878
1560
1879
# CheckerCompleted - signal
1561
1880
@dbus.service.signal(_interface, signature="nxs")
1562
1881
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1882
"D-Bus signal"
1564
1883
pass
1565
1884
1566
1885
# CheckerStarted - signal
1567
1886
@dbus.service.signal(_interface, signature="s")
1568
1887
def CheckerStarted(self, command):
1569
1888
"D-Bus signal"
1570
1889
pass
1571
1890
1572
1891
# PropertyChanged - signal
1573
1892
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1893
@dbus.service.signal(_interface, signature="sv")
1575
1894
def PropertyChanged(self, property, value):
1576
1895
"D-Bus signal"
1577
1896
pass
1578
1897
1579
1898
# GotSecret - signal
1580
1899
@dbus.service.signal(_interface)
1581
1900
def GotSecret(self):
1584
1903
server to mandos-client
1585
1904
"""
1586
1905
pass
1587
1906
1588
1907
# Rejected - signal
1589
1908
@dbus.service.signal(_interface, signature="s")
1590
1909
def Rejected(self, reason):
1591
1910
"D-Bus signal"
1592
1911
pass
1593
1912
1594
1913
# NeedApproval - signal
1595
1914
@dbus.service.signal(_interface, signature="tb")
1596
1915
def NeedApproval(self, timeout, default):
1597
1916
"D-Bus signal"
1598
1917
return self.need_approval()
1599
1600
## Methods
1601
1918
1919
# Methods
1920
1602
1921
# Approve - method
1603
1922
@dbus.service.method(_interface, in_signature="b")
1604
1923
def Approve(self, value):
1605
1924
self.approve(value)
1606
1925
1607
1926
# CheckedOK - method
1608
1927
@dbus.service.method(_interface)
1609
1928
def CheckedOK(self):
1610
1929
self.checked_ok()
1611
1930
1612
1931
# Enable - method
1613
1932
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
1933
@dbus.service.method(_interface)
1615
1934
def Enable(self):
1616
1935
"D-Bus method"
1617
1936
self.enable()
1618
1937
1619
1938
# StartChecker - method
1620
1939
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
1940
@dbus.service.method(_interface)
1622
1941
def StartChecker(self):
1623
1942
"D-Bus method"
1624
1943
self.start_checker()
1625
1944
1626
1945
# Disable - method
1627
1946
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
1947
@dbus.service.method(_interface)
1629
1948
def Disable(self):
1630
1949
"D-Bus method"
1631
1950
self.disable()
1632
1951
1633
1952
# StopChecker - method
1634
1953
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
1954
@dbus.service.method(_interface)
1636
1955
def StopChecker(self):
1637
1956
self.stop_checker()
1638
1639
## Properties
1640
1957
1958
# Properties
1959
1641
1960
# ApprovalPending - property
1642
1961
@dbus_service_property(_interface, signature="b", access="read")
1643
1962
def ApprovalPending_dbus_property(self):
1644
1963
return dbus.Boolean(bool(self.approvals_pending))
1645
1964
1646
1965
# ApprovedByDefault - property
1647
1966
@dbus_service_property(_interface,
1648
1967
signature="b",
1651
1970
if value is None: # get
1652
1971
return dbus.Boolean(self.approved_by_default)
1653
1972
self.approved_by_default = bool(value)
1654
1973
1655
1974
# ApprovalDelay - property
1656
1975
@dbus_service_property(_interface,
1657
1976
signature="t",
1661
1980
return dbus.UInt64(self.approval_delay.total_seconds()
1662
1981
* 1000)
1663
1982
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
1983
1665
1984
# ApprovalDuration - property
1666
1985
@dbus_service_property(_interface,
1667
1986
signature="t",
1671
1990
return dbus.UInt64(self.approval_duration.total_seconds()
1672
1991
* 1000)
1673
1992
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
1993
1675
1994
# Name - property
1676
1995
@dbus_annotations(
1677
1996
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
1997
@dbus_service_property(_interface, signature="s", access="read")
1679
1998
def Name_dbus_property(self):
1680
1999
return dbus.String(self.name)
1681
2000
1682
2001
# Fingerprint - property
1683
2002
@dbus_annotations(
1684
2003
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2004
@dbus_service_property(_interface, signature="s", access="read")
1686
2005
def Fingerprint_dbus_property(self):
1687
2006
return dbus.String(self.fingerprint)
1688
2007
1689
2008
# Host - property
1690
2009
@dbus_service_property(_interface,
1691
2010
signature="s",
1694
2013
if value is None: # get
1695
2014
return dbus.String(self.host)
1696
2015
self.host = str(value)
1697
2016
1698
2017
# Created - property
1699
2018
@dbus_annotations(
1700
2019
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2020
@dbus_service_property(_interface, signature="s", access="read")
1702
2021
def Created_dbus_property(self):
1703
2022
return datetime_to_dbus(self.created)
1704
2023
1705
2024
# LastEnabled - property
1706
2025
@dbus_service_property(_interface, signature="s", access="read")
1707
2026
def LastEnabled_dbus_property(self):
1708
2027
return datetime_to_dbus(self.last_enabled)
1709
2028
1710
2029
# Enabled - property
1711
2030
@dbus_service_property(_interface,
1712
2031
signature="b",
1718
2037
self.enable()
1719
2038
else:
1720
2039
self.disable()
1721
2040
1722
2041
# LastCheckedOK - property
1723
2042
@dbus_service_property(_interface,
1724
2043
signature="s",
1728
2047
self.checked_ok()
1729
2048
return
1730
2049
return datetime_to_dbus(self.last_checked_ok)
1731
2050
1732
2051
# LastCheckerStatus - property
1733
2052
@dbus_service_property(_interface, signature="n", access="read")
1734
2053
def LastCheckerStatus_dbus_property(self):
1735
2054
return dbus.Int16(self.last_checker_status)
1736
2055
1737
2056
# Expires - property
1738
2057
@dbus_service_property(_interface, signature="s", access="read")
1739
2058
def Expires_dbus_property(self):
1740
2059
return datetime_to_dbus(self.expires)
1741
2060
1742
2061
# LastApprovalRequest - property
1743
2062
@dbus_service_property(_interface, signature="s", access="read")
1744
2063
def LastApprovalRequest_dbus_property(self):
1745
2064
return datetime_to_dbus(self.last_approval_request)
1746
2065
1747
2066
# Timeout - property
1748
2067
@dbus_service_property(_interface,
1749
2068
signature="t",
1764
2083
if (getattr(self, "disable_initiator_tag", None)
1765
2084
is None):
1766
2085
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2086
GLib.source_remove(self.disable_initiator_tag)
2087
self.disable_initiator_tag = GLib.timeout_add(
1769
2088
int((self.expires - now).total_seconds() * 1000),
1770
2089
self.disable)
1771
2090
1772
2091
# ExtendedTimeout - property
1773
2092
@dbus_service_property(_interface,
1774
2093
signature="t",
1778
2097
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2098
* 1000)
1780
2099
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2100
1782
2101
# Interval - property
1783
2102
@dbus_service_property(_interface,
1784
2103
signature="t",
1791
2110
return
1792
2111
if self.enabled:
1793
2112
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2113
GLib.source_remove(self.checker_initiator_tag)
2114
self.checker_initiator_tag = GLib.timeout_add(
1796
2115
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2116
self.start_checker() # Start one now, too
2117
1799
2118
# Checker - property
1800
2119
@dbus_service_property(_interface,
1801
2120
signature="s",
1804
2123
if value is None: # get
1805
2124
return dbus.String(self.checker_command)
1806
2125
self.checker_command = str(value)
1807
2126
1808
2127
# CheckerRunning - property
1809
2128
@dbus_service_property(_interface,
1810
2129
signature="b",
1816
2135
self.start_checker()
1817
2136
else:
1818
2137
self.stop_checker()
1819
2138
1820
2139
# ObjectPath - property
1821
2140
@dbus_annotations(
1822
2141
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2142
"org.freedesktop.DBus.Deprecated": "true"})
1824
2143
@dbus_service_property(_interface, signature="o", access="read")
1825
2144
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2145
return self.dbus_object_path # is already a dbus.ObjectPath
2146
1828
2147
# Secret = property
1829
2148
@dbus_annotations(
1830
2149
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2154
byte_arrays=True)
1836
2155
def Secret_dbus_property(self, value):
1837
2156
self.secret = bytes(value)
1838
2157
1839
2158
del _interface
1840
2159
1841
2160
1845
2164
self._pipe.send(('init', fpr, address))
1846
2165
if not self._pipe.recv():
1847
2166
raise KeyError(fpr)
1848
2167
1849
2168
def __getattribute__(self, name):
1850
2169
if name == '_pipe':
1851
2170
return super(ProxyClient, self).__getattribute__(name)
1854
2173
if data[0] == 'data':
1855
2174
return data[1]
1856
2175
if data[0] == 'function':
1857
2176
1858
2177
def func(*args, **kwargs):
1859
2178
self._pipe.send(('funcall', name, args, kwargs))
1860
2179
return self._pipe.recv()[1]
1861
2180
1862
2181
return func
1863
2182
1864
2183
def __setattr__(self, name, value):
1865
2184
if name == '_pipe':
1866
2185
return super(ProxyClient, self).__setattr__(name, value)
1869
2188
1870
2189
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2190
"""A class to handle client connections.
1872
2191
1873
2192
Instantiated once for each connection to handle it.
1874
2193
Note: This will run in its own forked process."""
1875
2194
1876
2195
def handle(self):
1877
2196
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2197
logger.info("TCP connection from: %s",
1879
2198
str(self.client_address))
1880
2199
logger.debug("Pipe FD: %d",
1881
2200
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2201
2202
session = gnutls.ClientSession(self.request)
2203
2204
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2205
# "+AES-256-CBC", "+SHA1",
2206
# "+COMP-NULL", "+CTYPE-OPENPGP",
2207
# "+DHE-DSS"))
1895
2208
# Use a fallback default, since this MUST be set.
1896
2209
priority = self.server.gnutls_priority
1897
2210
if priority is None:
1898
2211
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2212
gnutls.priority_set_direct(session._c_object,
2213
priority.encode("utf-8"),
2214
None)
2215
1902
2216
# Start communication using the Mandos protocol
1903
2217
# Get protocol number
1904
2218
line = self.request.makefile().readline()
1909
2223
except (ValueError, IndexError, RuntimeError) as error:
1910
2224
logger.error("Unknown protocol version: %s", error)
1911
2225
return
1912
2226
1913
2227
# Start GnuTLS connection
1914
2228
try:
1915
2229
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2230
except gnutls.Error as error:
1917
2231
logger.warning("Handshake failed: %s", error)
1918
2232
# Do not run session.bye() here: the session is not
1919
2233
# established. Just abandon the request.
1920
2234
return
1921
2235
logger.debug("Handshake succeeded")
1922
2236
1923
2237
approval_required = False
1924
2238
try:
1925
2239
try:
1926
2240
fpr = self.fingerprint(
1927
2241
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
2242
except (TypeError, gnutls.Error) as error:
1930
2243
logger.warning("Bad certificate: %s", error)
1931
2244
return
1932
2245
logger.debug("Fingerprint: %s", fpr)
1933
2246
1934
2247
try:
1935
2248
client = ProxyClient(child_pipe, fpr,
1936
2249
self.client_address)
1937
2250
except KeyError:
1938
2251
return
1939
2252
1940
2253
if client.approval_delay:
1941
2254
delay = client.approval_delay
1942
2255
client.approvals_pending += 1
1943
2256
approval_required = True
1944
2257
1945
2258
while True:
1946
2259
if not client.enabled:
1947
2260
logger.info("Client %s is disabled",
1950
2263
# Emit D-Bus signal
1951
2264
client.Rejected("Disabled")
1952
2265
return
1953
2266
1954
2267
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2268
# We are approved or approval is disabled
1956
2269
break
1957
2270
elif client.approved is None:
1958
2271
logger.info("Client %s needs approval",
1969
2282
# Emit D-Bus signal
1970
2283
client.Rejected("Denied")
1971
2284
return
1972
1973
#wait until timeout or approved
2285
2286
# wait until timeout or approved
1974
2287
time = datetime.datetime.now()
1975
2288
client.changedstate.acquire()
1976
2289
client.changedstate.wait(delay.total_seconds())
1989
2302
break
1990
2303
else:
1991
2304
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2305
2306
try:
2307
session.send(client.secret)
2308
except gnutls.Error as error:
2309
logger.warning("gnutls send failed",
2310
exc_info=error)
2311
return
2312
2006
2313
logger.info("Sending secret to %s", client.name)
2007
2314
# bump the timeout using extended_timeout
2008
2315
client.bump_timeout(client.extended_timeout)
2009
2316
if self.server.use_dbus:
2010
2317
# Emit D-Bus signal
2011
2318
client.GotSecret()
2012
2319
2013
2320
finally:
2014
2321
if approval_required:
2015
2322
client.approvals_pending -= 1
2016
2323
try:
2017
2324
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2325
except gnutls.Error as error:
2019
2326
logger.warning("GnuTLS bye failed",
2020
2327
exc_info=error)
2021
2328
2022
2329
@staticmethod
2023
2330
def peer_certificate(session):
2024
2331
"Return the peer's OpenPGP certificate as a bytestring"
2025
2332
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2333
if (gnutls.certificate_type_get(session._c_object)
2334
!= gnutls.CRT_OPENPGP):
2335
# ...return invalid data
2336
return b""
2031
2337
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2338
cert_list = (gnutls.certificate_get_peers
2034
2339
(session._c_object, ctypes.byref(list_size)))
2035
2340
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2341
raise gnutls.Error("error getting peer certificate")
2038
2342
if list_size.value == 0:
2039
2343
return None
2040
2344
cert = cert_list[0]
2041
2345
return ctypes.string_at(cert.data, cert.size)
2042
2346
2043
2347
@staticmethod
2044
2348
def fingerprint(openpgp):
2045
2349
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2350
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2351
datum = gnutls.datum_t(
2048
2352
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2353
ctypes.POINTER(ctypes.c_ubyte)),
2050
2354
ctypes.c_uint(len(openpgp)))
2051
2355
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2356
crt = gnutls.openpgp_crt_t()
2357
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2358
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2359
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2360
gnutls.OPENPGP_FMT_RAW)
2059
2361
# Verify the self signature in the key
2060
2362
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2363
gnutls.openpgp_crt_verify_self(crt, 0,
2364
ctypes.byref(crtverify))
2063
2365
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2366
gnutls.openpgp_crt_deinit(crt)
2367
raise gnutls.CertificateSecurityError("Verify failed")
2067
2368
# New buffer for the fingerprint
2068
2369
buf = ctypes.create_string_buffer(20)
2069
2370
buf_len = ctypes.c_size_t()
2070
2371
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2372
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2373
ctypes.byref(buf_len))
2073
2374
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2375
gnutls.openpgp_crt_deinit(crt)
2075
2376
# Convert the buffer to a Python bytestring
2076
2377
fpr = ctypes.string_at(buf, buf_len.value)
2077
2378
# Convert the bytestring to hexadecimal notation
2081
2382
2082
2383
class MultiprocessingMixIn(object):
2083
2384
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2385
2085
2386
def sub_process_main(self, request, address):
2086
2387
try:
2087
2388
self.finish_request(request, address)
2088
2389
except Exception:
2089
2390
self.handle_error(request, address)
2090
2391
self.close_request(request)
2091
2392
2092
2393
def process_request(self, request, address):
2093
2394
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2395
proc = multiprocessing.Process(target=self.sub_process_main,
2396
args=(request, address))
2096
2397
proc.start()
2097
2398
return proc
2098
2399
2099
2400
2100
2401
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2101
2402
""" adds a pipe to the MixIn """
2102
2403
2103
2404
def process_request(self, request, client_address):
2104
2405
"""Overrides and wraps the original process_request().
2105
2406
2106
2407
This function creates a new pipe in self.pipe
2107
2408
"""
2108
2409
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2410
2110
2411
proc = MultiprocessingMixIn.process_request(self, request,
2111
2412
client_address)
2112
2413
self.child_pipe.close()
2113
2414
self.add_pipe(parent_pipe, proc)
2114
2415
2115
2416
def add_pipe(self, parent_pipe, proc):
2116
2417
"""Dummy function; override as necessary"""
2117
2418
raise NotImplementedError()
2120
2421
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
2422
socketserver.TCPServer, object):
2122
2423
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2424
2124
2425
Attributes:
2125
2426
enabled: Boolean; whether this server is activated yet
2126
2427
interface: None or a network interface name (string)
2127
2428
use_ipv6: Boolean; to use IPv6 or not
2128
2429
"""
2129
2430
2130
2431
def __init__(self, server_address, RequestHandlerClass,
2131
2432
interface=None,
2132
2433
use_ipv6=True,
2142
2443
self.socketfd = socketfd
2143
2444
# Save the original socket.socket() function
2144
2445
self.socket_socket = socket.socket
2446
2145
2447
# To implement --socket, we monkey patch socket.socket.
2146
#
2448
#
2147
2449
# (When socketserver.TCPServer is a new-style class, we
2148
2450
# could make self.socket into a property instead of monkey
2149
2451
# patching socket.socket.)
2150
#
2452
#
2151
2453
# Create a one-time-only replacement for socket.socket()
2152
2454
@functools.wraps(socket.socket)
2153
2455
def socket_wrapper(*args, **kwargs):
2165
2467
# socket_wrapper(), if socketfd was set.
2166
2468
socketserver.TCPServer.__init__(self, server_address,
2167
2469
RequestHandlerClass)
2168
2470
2169
2471
def server_bind(self):
2170
2472
"""This overrides the normal server_bind() function
2171
2473
to bind to an interface if one was specified, and also NOT to
2172
2474
bind to an address or port if they were not specified."""
2475
global SO_BINDTODEVICE
2173
2476
if self.interface is not None:
2174
2477
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2478
# Fall back to a hard-coded value which seems to be
2479
# common enough.
2480
logger.warning("SO_BINDTODEVICE not found, trying 25")
2481
SO_BINDTODEVICE = 25
2482
try:
2483
self.socket.setsockopt(
2484
socket.SOL_SOCKET, SO_BINDTODEVICE,
2485
(self.interface + "\0").encode("utf-8"))
2486
except socket.error as error:
2487
if error.errno == errno.EPERM:
2488
logger.error("No permission to bind to"
2489
" interface %s", self.interface)
2490
elif error.errno == errno.ENOPROTOOPT:
2491
logger.error("SO_BINDTODEVICE not available;"
2492
" cannot bind to interface %s",
2493
self.interface)
2494
elif error.errno == errno.ENODEV:
2495
logger.error("Interface %s does not exist,"
2496
" cannot bind", self.interface)
2497
else:
2498
raise
2196
2499
# Only bind(2) the socket if we really need to.
2197
2500
if self.server_address[0] or self.server_address[1]:
2198
2501
if not self.server_address[0]:
2199
2502
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2503
any_address = "::" # in6addr_any
2201
2504
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2505
any_address = "0.0.0.0" # INADDR_ANY
2203
2506
self.server_address = (any_address,
2204
2507
self.server_address[1])
2205
2508
elif not self.server_address[1]:
2215
2518
2216
2519
class MandosServer(IPv6_TCPServer):
2217
2520
"""Mandos server.
2218
2521
2219
2522
Attributes:
2220
2523
clients: set of Client objects
2221
2524
gnutls_priority GnuTLS priority string
2222
2525
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2526
2527
Assumes a GLib.MainLoop event loop.
2225
2528
"""
2226
2529
2227
2530
def __init__(self, server_address, RequestHandlerClass,
2228
2531
interface=None,
2229
2532
use_ipv6=True,
2239
2542
self.gnutls_priority = gnutls_priority
2240
2543
IPv6_TCPServer.__init__(self, server_address,
2241
2544
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2545
interface=interface,
2546
use_ipv6=use_ipv6,
2547
socketfd=socketfd)
2548
2246
2549
def server_activate(self):
2247
2550
if self.enabled:
2248
2551
return socketserver.TCPServer.server_activate(self)
2249
2552
2250
2553
def enable(self):
2251
2554
self.enabled = True
2252
2555
2253
2556
def add_pipe(self, parent_pipe, proc):
2254
2557
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2558
GLib.io_add_watch(
2256
2559
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2560
GLib.IO_IN | GLib.IO_HUP,
2258
2561
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2562
parent_pipe=parent_pipe,
2563
proc=proc))
2564
2262
2565
def handle_ipc(self, source, condition,
2263
2566
parent_pipe=None,
2264
proc = None,
2567
proc=None,
2265
2568
client_object=None):
2266
2569
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2570
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2571
# Wait for other process to exit
2269
2572
proc.join()
2270
2573
return False
2271
2574
2272
2575
# Read a request from the child
2273
2576
request = parent_pipe.recv()
2274
2577
command = request[0]
2275
2578
2276
2579
if command == 'init':
2277
2580
fpr = request[1]
2278
2581
address = request[2]
2279
2280
for c in self.clients.itervalues():
2582
2583
for c in self.clients.values():
2281
2584
if c.fingerprint == fpr:
2282
2585
client = c
2283
2586
break
2290
2593
address[0])
2291
2594
parent_pipe.send(False)
2292
2595
return False
2293
2294
gobject.io_add_watch(
2596
2597
GLib.io_add_watch(
2295
2598
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2599
GLib.IO_IN | GLib.IO_HUP,
2297
2600
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2601
parent_pipe=parent_pipe,
2602
proc=proc,
2603
client_object=client))
2301
2604
parent_pipe.send(True)
2302
2605
# remove the old hook in favor of the new above hook on
2303
2606
# same fileno
2306
2609
funcname = request[1]
2307
2610
args = request[2]
2308
2611
kwargs = request[3]
2309
2612
2310
2613
parent_pipe.send(('data', getattr(client_object,
2311
2614
funcname)(*args,
2312
2615
**kwargs)))
2313
2616
2314
2617
if command == 'getattr':
2315
2618
attrname = request[1]
2316
2619
if isinstance(client_object.__getattribute__(attrname),
2319
2622
else:
2320
2623
parent_pipe.send((
2321
2624
'data', client_object.__getattribute__(attrname)))
2322
2625
2323
2626
if command == 'setattr':
2324
2627
attrname = request[1]
2325
2628
value = request[2]
2326
2629
setattr(client_object, attrname, value)
2327
2630
2328
2631
return True
2329
2632
2330
2633
2331
2634
def rfc3339_duration_to_delta(duration):
2332
2635
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2636
2334
2637
>>> rfc3339_duration_to_delta("P7D")
2335
2638
datetime.timedelta(7)
2336
2639
>>> rfc3339_duration_to_delta("PT60S")
2346
2649
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
2650
datetime.timedelta(1, 200)
2348
2651
"""
2349
2652
2350
2653
# Parsing an RFC 3339 duration with regular expressions is not
2351
2654
# possible - there would have to be multiple places for the same
2352
2655
# values, like seconds. The current code, while more esoteric, is
2353
2656
# cleaner without depending on a parsing library. If Python had a
2354
2657
# built-in library for parsing we would use it, but we'd like to
2355
2658
# avoid excessive use of external libraries.
2356
2659
2357
2660
# New type for defining tokens, syntax, and semantics all-in-one
2358
2661
Token = collections.namedtuple("Token", (
2359
2662
"regexp", # To match token; if "value" is not None, must have
2392
2695
frozenset((token_year, token_month,
2393
2696
token_day, token_time,
2394
2697
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2698
# Define starting values:
2699
# Value so far
2700
value = datetime.timedelta()
2397
2701
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2702
# Following valid tokens
2703
followers = frozenset((token_duration, ))
2704
# String left to parse
2705
s = duration
2400
2706
# Loop until end token is found
2401
2707
while found_token is not token_end:
2402
2708
# Search for any currently valid tokens
2426
2732
2427
2733
def string_to_delta(interval):
2428
2734
"""Parse a string and return a datetime.timedelta
2429
2735
2430
2736
>>> string_to_delta('7d')
2431
2737
datetime.timedelta(7)
2432
2738
>>> string_to_delta('60s')
2440
2746
>>> string_to_delta('5m 30s')
2441
2747
datetime.timedelta(0, 330)
2442
2748
"""
2443
2749
2444
2750
try:
2445
2751
return rfc3339_duration_to_delta(interval)
2446
2752
except ValueError:
2447
2753
pass
2448
2754
2449
2755
timevalue = datetime.timedelta(0)
2450
2756
for s in interval.split():
2451
2757
try:
2469
2775
return timevalue
2470
2776
2471
2777
2472
def daemon(nochdir = False, noclose = False):
2778
def daemon(nochdir=False, noclose=False):
2473
2779
"""See daemon(3). Standard BSD Unix function.
2474
2780
2475
2781
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2782
if os.fork():
2477
2783
sys.exit()
2495
2801
2496
2802
2497
2803
def main():
2498
2804
2499
2805
##################################################################
2500
2806
# Parsing of options, both command line and config file
2501
2807
2502
2808
parser = argparse.ArgumentParser()
2503
2809
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2810
version="%(prog)s {}".format(version),
2505
2811
help="show version number and exit")
2506
2812
parser.add_argument("-i", "--interface", metavar="IF",
2507
2813
help="Bind to interface IF")
2543
2849
parser.add_argument("--no-zeroconf", action="store_false",
2544
2850
dest="zeroconf", help="Do not use Zeroconf",
2545
2851
default=None)
2546
2852
2547
2853
options = parser.parse_args()
2548
2854
2549
2855
if options.check:
2550
2856
import doctest
2551
2857
fail_count, test_count = doctest.testmod()
2552
2858
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2859
2554
2860
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2861
server_defaults = {"interface": "",
2862
"address": "",
2863
"port": "",
2864
"debug": "False",
2865
"priority":
2866
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2867
":+SIGN-DSA-SHA256",
2868
"servicename": "Mandos",
2869
"use_dbus": "True",
2870
"use_ipv6": "True",
2871
"debuglevel": "",
2872
"restore": "True",
2873
"socket": "",
2874
"statedir": "/var/lib/mandos",
2875
"foreground": "False",
2876
"zeroconf": "True",
2877
}
2878
2573
2879
# Parse config file for server-global settings
2574
2880
server_config = configparser.SafeConfigParser(server_defaults)
2575
2881
del server_defaults
2593
2899
server_settings["socket"] = os.dup(server_settings
2594
2900
["socket"])
2595
2901
del server_config
2596
2902
2597
2903
# Override the settings from the config file with command line
2598
2904
# options, if set.
2599
2905
for option in ("interface", "address", "port", "debug",
2617
2923
if server_settings["debug"]:
2618
2924
server_settings["foreground"] = True
2619
2925
# Now we have our good server settings in "server_settings"
2620
2926
2621
2927
##################################################################
2622
2928
2623
2929
if (not server_settings["zeroconf"]
2624
2930
and not (server_settings["port"]
2625
2931
or server_settings["socket"] != "")):
2626
2932
parser.error("Needs port or socket to work without Zeroconf")
2627
2933
2628
2934
# For convenience
2629
2935
debug = server_settings["debug"]
2630
2936
debuglevel = server_settings["debuglevel"]
2634
2940
stored_state_file)
2635
2941
foreground = server_settings["foreground"]
2636
2942
zeroconf = server_settings["zeroconf"]
2637
2943
2638
2944
if debug:
2639
2945
initlogger(debug, logging.DEBUG)
2640
2946
else:
2643
2949
else:
2644
2950
level = getattr(logging, debuglevel.upper())
2645
2951
initlogger(debug, level)
2646
2952
2647
2953
if server_settings["servicename"] != "Mandos":
2648
2954
syslogger.setFormatter(
2649
2955
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
2956
' %(levelname)s: %(message)s'.format(
2651
2957
server_settings["servicename"])))
2652
2958
2653
2959
# Parse config file with clients
2654
2960
client_config = configparser.SafeConfigParser(Client
2655
2961
.client_defaults)
2656
2962
client_config.read(os.path.join(server_settings["configdir"],
2657
2963
"clients.conf"))
2658
2964
2659
2965
global mandos_dbus_service
2660
2966
mandos_dbus_service = None
2661
2967
2662
2968
socketfd = None
2663
2969
if server_settings["socket"] != "":
2664
2970
socketfd = server_settings["socket"]
2680
2986
except IOError as e:
2681
2987
logger.error("Could not open file %r", pidfilename,
2682
2988
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
2989
2990
for name, group in (("_mandos", "_mandos"),
2991
("mandos", "mandos"),
2992
("nobody", "nogroup")):
2685
2993
try:
2686
2994
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
2995
gid = pwd.getpwnam(group).pw_gid
2688
2996
break
2689
2997
except KeyError:
2690
2998
continue
2694
3002
try:
2695
3003
os.setgid(gid)
2696
3004
os.setuid(uid)
3005
if debug:
3006
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3007
gid))
2697
3008
except OSError as error:
3009
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3010
.format(uid, gid, os.strerror(error.errno)))
2698
3011
if error.errno != errno.EPERM:
2699
3012
raise
2700
3013
2701
3014
if debug:
2702
3015
# Enable all possible GnuTLS debugging
2703
3016
2704
3017
# "Use a log level over 10 to enable all debugging options."
2705
3018
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3019
gnutls.global_set_log_level(11)
3020
3021
@gnutls.log_func
2709
3022
def debug_gnutls(level, string):
2710
3023
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3024
3025
gnutls.global_set_log_function(debug_gnutls)
3026
2715
3027
# Redirect stdin so all checkers get /dev/null
2716
3028
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3029
os.dup2(null, sys.stdin.fileno())
2718
3030
if null > 2:
2719
3031
os.close(null)
2720
3032
2721
3033
# Need to fork before connecting to D-Bus
2722
3034
if not foreground:
2723
3035
# Close all input and output, do double fork, etc.
2724
3036
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3037
3038
# multiprocessing will use threads, so before we use GLib we need
3039
# to inform GLib that threads will be used.
3040
GLib.threads_init()
3041
2730
3042
global main_loop
2731
3043
# From the Avahi example code
2732
3044
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3045
main_loop = GLib.MainLoop()
2734
3046
bus = dbus.SystemBus()
2735
3047
# End of Avahi example code
2736
3048
if use_dbus:
2749
3061
if zeroconf:
2750
3062
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3063
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3064
name=server_settings["servicename"],
3065
servicetype="_mandos._tcp",
3066
protocol=protocol,
3067
bus=bus)
2756
3068
if server_settings["interface"]:
2757
3069
service.interface = if_nametoindex(
2758
3070
server_settings["interface"].encode("utf-8"))
2759
3071
2760
3072
global multiprocessing_manager
2761
3073
multiprocessing_manager = multiprocessing.Manager()
2762
3074
2763
3075
client_class = Client
2764
3076
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3077
client_class = functools.partial(ClientDBus, bus=bus)
3078
2767
3079
client_settings = Client.config_parser(client_config)
2768
3080
old_client_settings = {}
2769
3081
clients_data = {}
2770
3082
2771
3083
# This is used to redirect stdout and stderr for checker processes
2772
3084
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3085
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3086
# Only used if server is running in foreground but not in debug
2775
3087
# mode
2776
3088
if debug or not foreground:
2777
3089
wnull.close()
2778
3090
2779
3091
# Get client data and settings from last running state.
2780
3092
if server_settings["restore"]:
2781
3093
try:
2782
3094
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3095
if sys.version_info.major == 2:
3096
clients_data, old_client_settings = pickle.load(
3097
stored_state)
3098
else:
3099
bytes_clients_data, bytes_old_client_settings = (
3100
pickle.load(stored_state, encoding="bytes"))
3101
# Fix bytes to strings
3102
# clients_data
3103
# .keys()
3104
clients_data = {(key.decode("utf-8")
3105
if isinstance(key, bytes)
3106
else key): value
3107
for key, value in
3108
bytes_clients_data.items()}
3109
del bytes_clients_data
3110
for key in clients_data:
3111
value = {(k.decode("utf-8")
3112
if isinstance(k, bytes) else k): v
3113
for k, v in
3114
clients_data[key].items()}
3115
clients_data[key] = value
3116
# .client_structure
3117
value["client_structure"] = [
3118
(s.decode("utf-8")
3119
if isinstance(s, bytes)
3120
else s) for s in
3121
value["client_structure"]]
3122
# .name & .host
3123
for k in ("name", "host"):
3124
if isinstance(value[k], bytes):
3125
value[k] = value[k].decode("utf-8")
3126
# old_client_settings
3127
# .keys()
3128
old_client_settings = {
3129
(key.decode("utf-8")
3130
if isinstance(key, bytes)
3131
else key): value
3132
for key, value in
3133
bytes_old_client_settings.items()}
3134
del bytes_old_client_settings
3135
# .host
3136
for value in old_client_settings.values():
3137
if isinstance(value["host"], bytes):
3138
value["host"] = (value["host"]
3139
.decode("utf-8"))
2785
3140
os.remove(stored_state_path)
2786
3141
except IOError as e:
2787
3142
if e.errno == errno.ENOENT:
2795
3150
logger.warning("Could not load persistent state: "
2796
3151
"EOFError:",
2797
3152
exc_info=e)
2798
3153
2799
3154
with PGPEngine() as pgp:
2800
3155
for client_name, client in clients_data.items():
2801
3156
# Skip removed clients
2802
3157
if client_name not in client_settings:
2803
3158
continue
2804
3159
2805
3160
# Decide which value to use after restoring saved state.
2806
3161
# We have three different values: Old config file,
2807
3162
# new config file, and saved state.
2818
3173
client[name] = value
2819
3174
except KeyError:
2820
3175
pass
2821
3176
2822
3177
# Clients who has passed its expire date can still be
2823
3178
# enabled if its last checker was successful. A Client
2824
3179
# whose checker succeeded before we stored its state is
2857
3212
client_name))
2858
3213
client["secret"] = (client_settings[client_name]
2859
3214
["secret"])
2860
3215
2861
3216
# Add/remove clients based on new changes made to config
2862
3217
for client_name in (set(old_client_settings)
2863
3218
- set(client_settings)):
2865
3220
for client_name in (set(client_settings)
2866
3221
- set(old_client_settings)):
2867
3222
clients_data[client_name] = client_settings[client_name]
2868
3223
2869
3224
# Create all client objects
2870
3225
for client_name, client in clients_data.items():
2871
3226
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3227
name=client_name,
3228
settings=client,
3229
server_settings=server_settings)
3230
2876
3231
if not tcp_server.clients:
2877
3232
logger.warning("No clients defined")
2878
3233
2879
3234
if not foreground:
2880
3235
if pidfile is not None:
2881
3236
pid = os.getpid()
2887
3242
pidfilename, pid)
2888
3243
del pidfile
2889
3244
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3245
3246
for termsig in (signal.SIGHUP, signal.SIGTERM):
3247
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3248
lambda: main_loop.quit() and False)
3249
2894
3250
if use_dbus:
2895
3251
2896
3252
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3253
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3254
class MandosDBusService(DBusObjectWithObjectManager):
2899
3255
"""A D-Bus proxy object"""
2900
3256
2901
3257
def __init__(self):
2902
3258
dbus.service.Object.__init__(self, bus, "/")
2903
3259
2904
3260
_interface = "se.recompile.Mandos"
2905
3261
2906
3262
@dbus.service.signal(_interface, signature="o")
2907
3263
def ClientAdded(self, objpath):
2908
3264
"D-Bus signal"
2909
3265
pass
2910
3266
2911
3267
@dbus.service.signal(_interface, signature="ss")
2912
3268
def ClientNotFound(self, fingerprint, address):
2913
3269
"D-Bus signal"
2914
3270
pass
2915
3271
2916
3272
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3273
"true"})
2918
3274
@dbus.service.signal(_interface, signature="os")
2919
3275
def ClientRemoved(self, objpath, name):
2920
3276
"D-Bus signal"
2921
3277
pass
2922
3278
2923
3279
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3280
"true"})
2925
3281
@dbus.service.method(_interface, out_signature="ao")
2926
3282
def GetAllClients(self):
2927
3283
"D-Bus method"
2928
3284
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3285
tcp_server.clients.values())
3286
2931
3287
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3288
"true"})
2933
3289
@dbus.service.method(_interface,
2935
3291
def GetAllClientsWithProperties(self):
2936
3292
"D-Bus method"
2937
3293
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3294
{c.dbus_object_path: c.GetAll(
2939
3295
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3296
for c in tcp_server.clients.values()},
2941
3297
signature="oa{sv}")
2942
3298
2943
3299
@dbus.service.method(_interface, in_signature="o")
2944
3300
def RemoveClient(self, object_path):
2945
3301
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3302
for c in tcp_server.clients.values():
2947
3303
if c.dbus_object_path == object_path:
2948
3304
del tcp_server.clients[c.name]
2949
3305
c.remove_from_connection()
2953
3309
self.client_removed_signal(c)
2954
3310
return
2955
3311
raise KeyError(object_path)
2956
3312
2957
3313
del _interface
2958
3314
2959
3315
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3316
out_signature="a{oa{sa{sv}}}")
2961
3317
def GetManagedObjects(self):
2962
3318
"""D-Bus method"""
2963
3319
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3320
{client.dbus_object_path:
3321
dbus.Dictionary(
3322
{interface: client.GetAll(interface)
3323
for interface in
3324
client._get_all_interface_names()})
3325
for client in tcp_server.clients.values()})
3326
2971
3327
def client_added_signal(self, client):
2972
3328
"""Send the new standard signal and the old signal"""
2973
3329
if use_dbus:
2975
3331
self.InterfacesAdded(
2976
3332
client.dbus_object_path,
2977
3333
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3334
{interface: client.GetAll(interface)
3335
for interface in
3336
client._get_all_interface_names()}))
2981
3337
# Old signal
2982
3338
self.ClientAdded(client.dbus_object_path)
2983
3339
2984
3340
def client_removed_signal(self, client):
2985
3341
"""Send the new standard signal and the old signal"""
2986
3342
if use_dbus:
2991
3347
# Old signal
2992
3348
self.ClientRemoved(client.dbus_object_path,
2993
3349
client.name)
2994
3350
2995
3351
mandos_dbus_service = MandosDBusService()
2996
3352
3353
# Save modules to variables to exempt the modules from being
3354
# unloaded before the function registered with atexit() is run.
3355
mp = multiprocessing
3356
wn = wnull
3357
2997
3358
def cleanup():
2998
3359
"Cleanup function; run on exit"
2999
3360
if zeroconf:
3000
3361
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3362
3363
mp.active_children()
3364
wn.close()
3004
3365
if not (tcp_server.clients or client_settings):
3005
3366
return
3006
3367
3007
3368
# Store client before exiting. Secrets are encrypted with key
3008
3369
# based on what config file has. If config file is
3009
3370
# removed/edited, old secret will thus be unrecovable.
3010
3371
clients = {}
3011
3372
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3373
for client in tcp_server.clients.values():
3013
3374
key = client_settings[client.name]["secret"]
3014
3375
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3376
key)
3016
3377
client_dict = {}
3017
3378
3018
3379
# A list of attributes that can not be pickled
3019
3380
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3381
exclude = {"bus", "changedstate", "secret",
3382
"checker", "server_settings"}
3022
3383
for name, typ in inspect.getmembers(dbus.service
3023
3384
.Object):
3024
3385
exclude.add(name)
3025
3386
3026
3387
client_dict["encrypted_secret"] = (client
3027
3388
.encrypted_secret)
3028
3389
for attr in client.client_structure:
3029
3390
if attr not in exclude:
3030
3391
client_dict[attr] = getattr(client, attr)
3031
3392
3032
3393
clients[client.name] = client_dict
3033
3394
del client_settings[client.name]["secret"]
3034
3395
3035
3396
try:
3036
3397
with tempfile.NamedTemporaryFile(
3037
3398
mode='wb',
3039
3400
prefix='clients-',
3040
3401
dir=os.path.dirname(stored_state_path),
3041
3402
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3403
pickle.dump((clients, client_settings), stored_state,
3404
protocol=2)
3043
3405
tempname = stored_state.name
3044
3406
os.rename(tempname, stored_state_path)
3045
3407
except (IOError, OSError) as e:
3055
3417
logger.warning("Could not save persistent state:",
3056
3418
exc_info=e)
3057
3419
raise
3058
3420
3059
3421
# Delete all clients, and settings from config
3060
3422
while tcp_server.clients:
3061
3423
name, client = tcp_server.clients.popitem()
3064
3426
# Don't signal the disabling
3065
3427
client.disable(quiet=True)
3066
3428
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3429
if use_dbus:
3430
mandos_dbus_service.client_removed_signal(client)
3068
3431
client_settings.clear()
3069
3432
3070
3433
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3434
3435
for client in tcp_server.clients.values():
3073
3436
if use_dbus:
3074
3437
# Emit D-Bus signal for adding
3075
3438
mandos_dbus_service.client_added_signal(client)
3076
3439
# Need to initiate checking of clients
3077
3440
if client.enabled:
3078
3441
client.init_checker()
3079
3442
3080
3443
tcp_server.enable()
3081
3444
tcp_server.server_activate()
3082
3445
3083
3446
# Find out what port we got
3084
3447
if zeroconf:
3085
3448
service.port = tcp_server.socket.getsockname()[1]
3090
3453
else: # IPv4
3091
3454
logger.info("Now listening on address %r, port %d",
3092
3455
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3456
3457
# service.interface = tcp_server.socket.getsockname()[3]
3458
3096
3459
try:
3097
3460
if zeroconf:
3098
3461
# From the Avahi example code
3103
3466
cleanup()
3104
3467
sys.exit(1)
3105
3468
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3469
3470
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3471
lambda *args, **kwargs:
3472
(tcp_server.handle_request
3473
(*args[2:], **kwargs) or True))
3474
3112
3475
logger.debug("Starting main loop")
3113
3476
main_loop.run()
3114
3477
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0