/mandos/trunk : revision 894

1

#!/usr/bin/python3 -bI

2

# -*- coding: utf-8; lexical-binding: t -*-

1

#!/usr/bin/python

2

# -*- mode: python; coding: utf-8 -*-

3

#

4

# Mandos server - give out binary blobs to connecting clients.

5

#

11

# "AvahiService" class, and some lines in "main".

12

#

13

# Everything else is

14

15

16

#

17

# This file is part of Mandos.

18

#

19

# Mandos is free software: you can redistribute it and/or modify it

20

# under the terms of the GNU General Public License as published by

14

15

16

#

17

# This program is free software: you can redistribute it and/or modify

18

# it under the terms of the GNU General Public License as published by

21

19

# the Free Software Foundation, either version 3 of the License, or

22

20

# (at your option) any later version.

23

21

#

24

# Mandos is distributed in the hope that it will be useful, but

25

# WITHOUT ANY WARRANTY; without even the implied warranty of

22

# This program is distributed in the hope that it will be useful,

23

# but WITHOUT ANY WARRANTY; without even the implied warranty of

26

24

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

27

25

# GNU General Public License for more details.

28

26

#

29

27

# You should have received a copy of the GNU General Public License

30

# along with Mandos. If not, see <http://www.gnu.org/licenses/>.

28

# along with this program. If not, see

29

# <http://www.gnu.org/licenses/>.

31

30

#

32

31

# Contact the authors at <mandos@recompile.se>.

33

32

#

33

34

from __future__ import (division, absolute_import, print_function,

35

unicode_literals)

36

39

except ImportError:

40

pass

41

42

import sys

43

import unittest

44

import argparse

45

import logging

46

import os

47

42

try:

48

43

import SocketServer as socketserver

49

44

except ImportError:

50

45

import socketserver

51

46

import socket

47

import argparse

52

48

import datetime

53

49

import errno

54

50

try:

55

51

import ConfigParser as configparser

56

52

except ImportError:

57

53

import configparser

54

import sys

58

55

import re

56

import os

59

57

import signal

60

58

import subprocess

61

59

import atexit

62

60

import stat

61

import logging

63

62

import logging.handlers

64

63

import pwd

65

64

import contextlib

77

76

import itertools

78

77

import collections

79

78

import codecs

80

import random

81

import shlex

82

79

83

80

import dbus

84

81

import dbus.service

85

import gi

86

82

from gi.repository import GLib

87

83

from dbus.mainloop.glib import DBusGMainLoop

88

84

import ctypes

90

86

import xml.dom.minidom

91

87

import inspect

92

88

93

if sys.version_info.major == 2:

94

__metaclass__ = type

95

str = unicode

96

input = raw_input

97

98

# Add collections.abc.Callable if it does not exist

99

try:

100

collections.abc.Callable

101

except AttributeError:

102

class abc:

103

Callable = collections.Callable

104

collections.abc = abc

105

del abc

106

107

# Add shlex.quote if it does not exist

108

try:

109

shlex.quote

110

except AttributeError:

111

shlex.quote = re.escape

112

113

# Show warnings by default

114

if not sys.warnoptions:

115

import warnings

116

warnings.simplefilter("default")

117

118

89

# Try to find the value of SO_BINDTODEVICE:

119

90

try:

120

91

# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and

140

111

# No value found

141

112

SO_BINDTODEVICE = None

142

113

143

if sys.version_info < (3, 2):

144

configparser.Configparser = configparser.SafeConfigParser

114

if sys.version_info.major == 2:

115

str = unicode

145

116

146

version = "1.8.14"

117

version = "1.7.14"

147

118

stored_state_file = "clients.pickle"

148

119

149

log = logging.getLogger(os.path.basename(sys.argv[0]))

150

logging.captureWarnings(True) # Show warnings via the logging system

120

logger = logging.getLogger()

151

121

syslogger = None

152

122

153

123

try:

189

159

facility=logging.handlers.SysLogHandler.LOG_DAEMON,

190

160

address="/dev/log"))

191

161

syslogger.setFormatter(logging.Formatter

192

("Mandos [%(process)d]: %(levelname)s:"

193

" %(message)s"))

194

log.addHandler(syslogger)

162

('Mandos [%(process)d]: %(levelname)s:'

163

' %(message)s'))

164

logger.addHandler(syslogger)

195

165

196

166

if debug:

197

167

console = logging.StreamHandler()

198

console.setFormatter(logging.Formatter("%(asctime)s %(name)s"

199

" [%(process)d]:"

200

" %(levelname)s:"

201

" %(message)s"))

202

log.addHandler(console)

203

log.setLevel(level)

168

console.setFormatter(logging.Formatter('%(asctime)s %(name)s'

169

' [%(process)d]:'

170

' %(levelname)s:'

171

' %(message)s'))

172

logger.addHandler(console)

173

logger.setLevel(level)

204

174

205

175

206

176

class PGPError(Exception):

208

178

pass

209

179

210

180

211

class PGPEngine:

181

class PGPEngine(object):

212

182

"""A simple class for OpenPGP symmetric encryption & decryption"""

213

183

214

184

def __init__(self):

218

188

output = subprocess.check_output(["gpgconf"])

219

189

for line in output.splitlines():

220

190

name, text, path = line.split(b":")

221

if name == b"gpg":

191

if name == "gpg":

222

192

self.gpg = path

223

193

break

224

194

except OSError as e:

225

195

if e.errno != errno.ENOENT:

226

196

raise

227

self.gnupgargs = ["--batch",

228

"--homedir", self.tempdir,

229

"--force-mdc",

230

"--quiet"]

197

self.gnupgargs = ['--batch',

198

'--homedir', self.tempdir,

199

'--force-mdc',

200

'--quiet']

231

201

# Only GPG version 1 has the --no-use-agent option.

232

if self.gpg == b"gpg" or self.gpg.endswith(b"/gpg"):

202

if self.gpg == "gpg" or self.gpg.endswith("/gpg"):

233

203

self.gnupgargs.append("--no-use-agent")

234

204

235

205

def __enter__(self):

272

242

dir=self.tempdir) as passfile:

273

243

passfile.write(passphrase)

274

244

passfile.flush()

275

proc = subprocess.Popen([self.gpg, "--symmetric",

276

"--passphrase-file",

245

proc = subprocess.Popen([self.gpg, '--symmetric',

246

'--passphrase-file',

277

247

passfile.name]

278

248

+ self.gnupgargs,

279

249

stdin=subprocess.PIPE,

290

260

dir=self.tempdir) as passfile:

291

261

passfile.write(passphrase)

292

262

passfile.flush()

293

proc = subprocess.Popen([self.gpg, "--decrypt",

294

"--passphrase-file",

263

proc = subprocess.Popen([self.gpg, '--decrypt',

264

'--passphrase-file',

295

265

passfile.name]

296

266

+ self.gnupgargs,

297

267

stdin=subprocess.PIPE,

304

274

305

275

306

276

# Pretend that we have an Avahi module

307

class avahi:

308

"""This isn't so much a class as it is a module-like namespace."""

277

class Avahi(object):

278

"""This isn't so much a class as it is a module-like namespace.

279

It is instantiated once, and simulates having an Avahi module."""

309

280

IF_UNSPEC = -1 # avahi-common/address.h

310

281

PROTO_UNSPEC = -1 # avahi-common/address.h

311

282

PROTO_INET = 0 # avahi-common/address.h

315

286

DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"

316

287

DBUS_PATH_SERVER = "/"

317

288

318

@staticmethod

319

def string_array_to_txt_array(t):

289

def string_array_to_txt_array(self, t):

320

290

return dbus.Array((dbus.ByteArray(s.encode("utf-8"))

321

291

for s in t), signature="ay")

322

292

ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h

327

297

SERVER_RUNNING = 2 # avahi-common/defs.h

328

298

SERVER_COLLISION = 3 # avahi-common/defs.h

329

299

SERVER_FAILURE = 4 # avahi-common/defs.h

300

avahi = Avahi()

330

301

331

302

332

303

class AvahiError(Exception):

344

315

pass

345

316

346

317

347

class AvahiService:

318

class AvahiService(object):

348

319

"""An Avahi (Zeroconf) service.

349

320

350

321

Attributes:

351

322

interface: integer; avahi.IF_UNSPEC or an interface index.

352

323

Used to optionally bind to the specified interface.

353

name: string; Example: "Mandos"

354

type: string; Example: "_mandos._tcp".

324

name: string; Example: 'Mandos'

325

type: string; Example: '_mandos._tcp'.

355

326

See <https://www.iana.org/assignments/service-names-port-numbers>

356

327

port: integer; what port to announce

357

328

TXT: list of strings; TXT record for the service

394

365

def rename(self, remove=True):

395

366

"""Derived from the Avahi example code"""

396

367

if self.rename_count >= self.max_renames:

397

log.critical("No suitable Zeroconf service name found"

398

" after %i retries, exiting.",

399

self.rename_count)

368

logger.critical("No suitable Zeroconf service name found"

369

" after %i retries, exiting.",

370

self.rename_count)

400

371

raise AvahiServiceError("Too many renames")

401

372

self.name = str(

402

373

self.server.GetAlternativeServiceName(self.name))

403

374

self.rename_count += 1

404

log.info("Changing Zeroconf service name to %r ...",

405

self.name)

375

logger.info("Changing Zeroconf service name to %r ...",

376

self.name)

406

377

if remove:

407

378

self.remove()

408

379

try:

410

381

except dbus.exceptions.DBusException as error:

411

382

if (error.get_dbus_name()

412

383

== "org.freedesktop.Avahi.CollisionError"):

413

log.info("Local Zeroconf service name collision.")

384

logger.info("Local Zeroconf service name collision.")

414

385

return self.rename(remove=False)

415

386

else:

416

log.critical("D-Bus Exception", exc_info=error)

387

logger.critical("D-Bus Exception", exc_info=error)

417

388

self.cleanup()

418

389

os._exit(1)

419

390

435

406

avahi.DBUS_INTERFACE_ENTRY_GROUP)

436

407

self.entry_group_state_changed_match = (

437

408

self.group.connect_to_signal(

438

"StateChanged", self.entry_group_state_changed))

439

log.debug("Adding Zeroconf service '%s' of type '%s' ...",

440

self.name, self.type)

409

'StateChanged', self.entry_group_state_changed))

410

logger.debug("Adding Zeroconf service '%s' of type '%s' ...",

411

self.name, self.type)

441

412

self.group.AddService(

442

413

self.interface,

443

414

self.protocol,

450

421

451

422

def entry_group_state_changed(self, state, error):

452

423

"""Derived from the Avahi example code"""

453

log.debug("Avahi entry group state change: %i", state)

424

logger.debug("Avahi entry group state change: %i", state)

454

425

455

426

if state == avahi.ENTRY_GROUP_ESTABLISHED:

456

log.debug("Zeroconf service established.")

427

logger.debug("Zeroconf service established.")

457

428

elif state == avahi.ENTRY_GROUP_COLLISION:

458

log.info("Zeroconf service name collision.")

429

logger.info("Zeroconf service name collision.")

459

430

self.rename()

460

431

elif state == avahi.ENTRY_GROUP_FAILURE:

461

log.critical("Avahi: Error in group state changed %s",

462

str(error))

432

logger.critical("Avahi: Error in group state changed %s",

433

str(error))

463

434

raise AvahiGroupError("State changed: {!s}".format(error))

464

435

465

436

def cleanup(self):

475

446

476

447

def server_state_changed(self, state, error=None):

477

448

"""Derived from the Avahi example code"""

478

log.debug("Avahi server state change: %i", state)

449

logger.debug("Avahi server state change: %i", state)

479

450

bad_states = {

480

451

avahi.SERVER_INVALID: "Zeroconf server invalid",

481

452

avahi.SERVER_REGISTERING: None,

485

456

if state in bad_states:

486

457

if bad_states[state] is not None:

487

458

if error is None:

488

log.error(bad_states[state])

459

logger.error(bad_states[state])

489

460

else:

490

log.error(bad_states[state] + ": %r", error)

461

logger.error(bad_states[state] + ": %r", error)

491

462

self.cleanup()

492

463

elif state == avahi.SERVER_RUNNING:

493

464

try:

495

466

except dbus.exceptions.DBusException as error:

496

467

if (error.get_dbus_name()

497

468

== "org.freedesktop.Avahi.CollisionError"):

498

log.info("Local Zeroconf service name collision.")

469

logger.info("Local Zeroconf service name"

470

" collision.")

499

471

return self.rename(remove=False)

500

472

else:

501

log.critical("D-Bus Exception", exc_info=error)

473

logger.critical("D-Bus Exception", exc_info=error)

502

474

self.cleanup()

503

475

os._exit(1)

504

476

else:

505

477

if error is None:

506

log.debug("Unknown state: %r", state)

478

logger.debug("Unknown state: %r", state)

507

479

else:

508

log.debug("Unknown state: %r: %r", state, error)

480

logger.debug("Unknown state: %r: %r", state, error)

509

481

510

482

def activate(self):

511

483

"""Derived from the Avahi example code"""

523

495

class AvahiServiceToSyslog(AvahiService):

524

496

def rename(self, *args, **kwargs):

525

497

"""Add the new name to the syslog messages"""

526

ret = super(AvahiServiceToSyslog, self).rename(*args,

527

**kwargs)

498

ret = AvahiService.rename(self, *args, **kwargs)

528

499

syslogger.setFormatter(logging.Formatter(

529

"Mandos ({}) [%(process)d]: %(levelname)s: %(message)s"

500

'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'

530

501

.format(self.name)))

531

502

return ret

532

503

533

504

534

505

# Pretend that we have a GnuTLS module

535

class gnutls:

536

"""This isn't so much a class as it is a module-like namespace."""

506

class GnuTLS(object):

507

"""This isn't so much a class as it is a module-like namespace.

508

It is instantiated once, and simulates having a GnuTLS module."""

537

509

538

510

library = ctypes.util.find_library("gnutls")

539

511

if library is None:

540

512

library = ctypes.util.find_library("gnutls-deb0")

541

513

_library = ctypes.cdll.LoadLibrary(library)

542

514

del library

515

_need_version = b"3.3.0"

516

517

def __init__(self):

518

# Need to use "self" here, since this method is called before

519

# the assignment to the "gnutls" global variable happens.

520

if self.check_version(self._need_version) is None:

521

raise self.Error("Needs GnuTLS {} or later"

522

.format(self._need_version))

543

523

544

524

# Unless otherwise indicated, the constants and types below are

545

525

# all from the gnutls/gnutls.h C header file.

549

529

E_INTERRUPTED = -52

550

530

E_AGAIN = -28

551

531

CRT_OPENPGP = 2

552

CRT_RAWPK = 3

553

532

CLIENT = 2

554

533

SHUT_RDWR = 0

555

534

CRD_CERTIFICATE = 1

556

535

E_NO_CERTIFICATE_FOUND = -49

557

X509_FMT_DER = 0

558

NO_TICKETS = 1<<10

559

ENABLE_RAWPK = 1<<18

560

CTYPE_PEERS = 3

561

KEYID_USE_SHA256 = 1 # gnutls/x509.h

562

536

OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h

563

537

564

538

# Types

565

class _session_int(ctypes.Structure):

539

class session_int(ctypes.Structure):

566

540

_fields_ = []

567

session_t = ctypes.POINTER(_session_int)

541

session_t = ctypes.POINTER(session_int)

568

542

569

543

class certificate_credentials_st(ctypes.Structure):

570

544

_fields_ = []

573

547

certificate_type_t = ctypes.c_int

574

548

575

549

class datum_t(ctypes.Structure):

576

_fields_ = [("data", ctypes.POINTER(ctypes.c_ubyte)),

577

("size", ctypes.c_uint)]

550

_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),

551

('size', ctypes.c_uint)]

578

552

579

class _openpgp_crt_int(ctypes.Structure):

553

class openpgp_crt_int(ctypes.Structure):

580

554

_fields_ = []

581

openpgp_crt_t = ctypes.POINTER(_openpgp_crt_int)

555

openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)

582

556

openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h

583

557

log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)

584

558

credentials_type_t = ctypes.c_int

587

561

588

562

# Exceptions

589

563

class Error(Exception):

564

# We need to use the class name "GnuTLS" here, since this

565

# exception might be raised from within GnuTLS.__init__,

566

# which is called before the assignment to the "gnutls"

567

# global variable has happened.

590

568

def __init__(self, message=None, code=None, args=()):

591

569

# Default usage is by a message string, but if a return

592

570

# code is passed, convert it to a string with

593

571

# gnutls.strerror()

594

572

self.code = code

595

573

if message is None and code is not None:

596

message = gnutls.strerror(code).decode(

597

"utf-8", errors="replace")

598

return super(gnutls.Error, self).__init__(

574

message = GnuTLS.strerror(code)

575

return super(GnuTLS.Error, self).__init__(

599

576

message, *args)

600

577

601

578

class CertificateSecurityError(Error):

602

579

pass

603

580

604

class PointerTo:

605

def __init__(self, cls):

606

self.cls = cls

607

608

def from_param(self, obj):

609

if not isinstance(obj, self.cls):

610

raise TypeError("Not of type {}: {!r}"

611

.format(self.cls.__name__, obj))

612

return ctypes.byref(obj.from_param(obj))

613

614

class CastToVoidPointer:

615

def __init__(self, cls):

616

self.cls = cls

617

618

def from_param(self, obj):

619

if not isinstance(obj, self.cls):

620

raise TypeError("Not of type {}: {!r}"

621

.format(self.cls.__name__, obj))

622

return ctypes.cast(obj.from_param(obj), ctypes.c_void_p)

623

624

class With_from_param:

625

@classmethod

626

def from_param(cls, obj):

627

return obj._as_parameter_

628

629

581

# Classes

630

class Credentials(With_from_param):

582

class Credentials(object):

631

583

def __init__(self):

632

self._as_parameter_ = gnutls.certificate_credentials_t()

633

gnutls.certificate_allocate_credentials(self)

584

self._c_object = gnutls.certificate_credentials_t()

585

gnutls.certificate_allocate_credentials(

586

ctypes.byref(self._c_object))

634

587

self.type = gnutls.CRD_CERTIFICATE

635

588

636

589

def __del__(self):

637

gnutls.certificate_free_credentials(self)

590

gnutls.certificate_free_credentials(self._c_object)

638

591

639

class ClientSession(With_from_param):

592

class ClientSession(object):

640

593

def __init__(self, socket, credentials=None):

641

self._as_parameter_ = gnutls.session_t()

642

gnutls_flags = gnutls.CLIENT

643

if gnutls.check_version(b"3.5.6"):

644

gnutls_flags |= gnutls.NO_TICKETS

645

if gnutls.has_rawpk:

646

gnutls_flags |= gnutls.ENABLE_RAWPK

647

gnutls.init(self, gnutls_flags)

648

del gnutls_flags

649

gnutls.set_default_priority(self)

650

gnutls.transport_set_ptr(self, socket.fileno())

651

gnutls.handshake_set_private_extensions(self, True)

594

self._c_object = gnutls.session_t()

595

gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)

596

gnutls.set_default_priority(self._c_object)

597

gnutls.transport_set_ptr(self._c_object, socket.fileno())

598

gnutls.handshake_set_private_extensions(self._c_object,

599

True)

652

600

self.socket = socket

653

601

if credentials is None:

654

602

credentials = gnutls.Credentials()

655

gnutls.credentials_set(self, credentials.type,

656

credentials)

603

gnutls.credentials_set(self._c_object, credentials.type,

604

ctypes.cast(credentials._c_object,

605

ctypes.c_void_p))

657

606

self.credentials = credentials

658

607

659

608

def __del__(self):

660

gnutls.deinit(self)

609

gnutls.deinit(self._c_object)

661

610

662

611

def handshake(self):

663

return gnutls.handshake(self)

612

return gnutls.handshake(self._c_object)

664

613

665

614

def send(self, data):

666

615

data = bytes(data)

667

616

data_len = len(data)

668

617

while data_len > 0:

669

data_len -= gnutls.record_send(self, data[-data_len:],

618

data_len -= gnutls.record_send(self._c_object,

619

data[-data_len:],

670

620

data_len)

671

621

672

622

def bye(self):

673

return gnutls.bye(self, gnutls.SHUT_RDWR)

623

return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)

674

624

675

625

# Error handling functions

676

626

def _error_code(result):

677

627

"""A function to raise exceptions on errors, suitable

678

for the "restype" attribute on ctypes functions"""

679

if result >= gnutls.E_SUCCESS:

628

for the 'restype' attribute on ctypes functions"""

629

if result >= 0:

680

630

return result

681

631

if result == gnutls.E_NO_CERTIFICATE_FOUND:

682

632

raise gnutls.CertificateSecurityError(code=result)

683

633

raise gnutls.Error(code=result)

684

634

685

def _retry_on_error(result, func, arguments,

686

_error_code=_error_code):

635

def _retry_on_error(result, func, arguments):

687

636

"""A function to retry on some errors, suitable

688

for the "errcheck" attribute on ctypes functions"""

689

while result < gnutls.E_SUCCESS:

637

for the 'errcheck' attribute on ctypes functions"""

638

while result < 0:

690

639

if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):

691

640

return _error_code(result)

692

641

result = func(*arguments)

697

646

698

647

# Functions

699

648

priority_set_direct = _library.gnutls_priority_set_direct

700

priority_set_direct.argtypes = [ClientSession, ctypes.c_char_p,

649

priority_set_direct.argtypes = [session_t, ctypes.c_char_p,

701

650

ctypes.POINTER(ctypes.c_char_p)]

702

651

priority_set_direct.restype = _error_code

703

652

704

653

init = _library.gnutls_init

705

init.argtypes = [PointerTo(ClientSession), ctypes.c_int]

654

init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]

706

655

init.restype = _error_code

707

656

708

657

set_default_priority = _library.gnutls_set_default_priority

709

set_default_priority.argtypes = [ClientSession]

658

set_default_priority.argtypes = [session_t]

710

659

set_default_priority.restype = _error_code

711

660

712

661

record_send = _library.gnutls_record_send

713

record_send.argtypes = [ClientSession, ctypes.c_void_p,

662

record_send.argtypes = [session_t, ctypes.c_void_p,

714

663

ctypes.c_size_t]

715

664

record_send.restype = ctypes.c_ssize_t

716

665

record_send.errcheck = _retry_on_error

718

667

certificate_allocate_credentials = (

719

668

_library.gnutls_certificate_allocate_credentials)

720

669

certificate_allocate_credentials.argtypes = [

721

PointerTo(Credentials)]

670

ctypes.POINTER(certificate_credentials_t)]

722

671

certificate_allocate_credentials.restype = _error_code

723

672

724

673

certificate_free_credentials = (

725

674

_library.gnutls_certificate_free_credentials)

726

certificate_free_credentials.argtypes = [Credentials]

675

certificate_free_credentials.argtypes = [

676

certificate_credentials_t]

727

677

certificate_free_credentials.restype = None

728

678

729

679

handshake_set_private_extensions = (

730

680

_library.gnutls_handshake_set_private_extensions)

731

handshake_set_private_extensions.argtypes = [ClientSession,

681

handshake_set_private_extensions.argtypes = [session_t,

732

682

ctypes.c_int]

733

683

handshake_set_private_extensions.restype = None

734

684

735

685

credentials_set = _library.gnutls_credentials_set

736

credentials_set.argtypes = [ClientSession, credentials_type_t,

737

CastToVoidPointer(Credentials)]

686

credentials_set.argtypes = [session_t, credentials_type_t,

687

ctypes.c_void_p]

738

688

credentials_set.restype = _error_code

739

689

740

690

strerror = _library.gnutls_strerror

742

692

strerror.restype = ctypes.c_char_p

743

693

744

694

certificate_type_get = _library.gnutls_certificate_type_get

745

certificate_type_get.argtypes = [ClientSession]

695

certificate_type_get.argtypes = [session_t]

746

696

certificate_type_get.restype = _error_code

747

697

748

698

certificate_get_peers = _library.gnutls_certificate_get_peers

749

certificate_get_peers.argtypes = [ClientSession,

699

certificate_get_peers.argtypes = [session_t,

750

700

ctypes.POINTER(ctypes.c_uint)]

751

701

certificate_get_peers.restype = ctypes.POINTER(datum_t)

752

702

759

709

global_set_log_function.restype = None

760

710

761

711

deinit = _library.gnutls_deinit

762

deinit.argtypes = [ClientSession]

712

deinit.argtypes = [session_t]

763

713

deinit.restype = None

764

714

765

715

handshake = _library.gnutls_handshake

766

handshake.argtypes = [ClientSession]

767

handshake.restype = ctypes.c_int

716

handshake.argtypes = [session_t]

717

handshake.restype = _error_code

768

718

handshake.errcheck = _retry_on_error

769

719

770

720

transport_set_ptr = _library.gnutls_transport_set_ptr

771

transport_set_ptr.argtypes = [ClientSession, transport_ptr_t]

721

transport_set_ptr.argtypes = [session_t, transport_ptr_t]

772

722

transport_set_ptr.restype = None

773

723

774

724

bye = _library.gnutls_bye

775

bye.argtypes = [ClientSession, close_request_t]

776

bye.restype = ctypes.c_int

725

bye.argtypes = [session_t, close_request_t]

726

bye.restype = _error_code

777

727

bye.errcheck = _retry_on_error

778

728

779

729

check_version = _library.gnutls_check_version

780

730

check_version.argtypes = [ctypes.c_char_p]

781

731

check_version.restype = ctypes.c_char_p

782

732

783

_need_version = b"3.3.0"

784

if check_version(_need_version) is None:

785

raise self.Error("Needs GnuTLS {} or later"

786

.format(_need_version))

787

788

_tls_rawpk_version = b"3.6.6"

789

has_rawpk = bool(check_version(_tls_rawpk_version))

790

791

if has_rawpk:

792

# Types

793

class pubkey_st(ctypes.Structure):

794

_fields = []

795

pubkey_t = ctypes.POINTER(pubkey_st)

796

797

x509_crt_fmt_t = ctypes.c_int

798

799

# All the function declarations below are from

800

# gnutls/abstract.h

801

pubkey_init = _library.gnutls_pubkey_init

802

pubkey_init.argtypes = [ctypes.POINTER(pubkey_t)]

803

pubkey_init.restype = _error_code

804

805

pubkey_import = _library.gnutls_pubkey_import

806

pubkey_import.argtypes = [pubkey_t, ctypes.POINTER(datum_t),

807

x509_crt_fmt_t]

808

pubkey_import.restype = _error_code

809

810

pubkey_get_key_id = _library.gnutls_pubkey_get_key_id

811

pubkey_get_key_id.argtypes = [pubkey_t, ctypes.c_int,

812

ctypes.POINTER(ctypes.c_ubyte),

813

ctypes.POINTER(ctypes.c_size_t)]

814

pubkey_get_key_id.restype = _error_code

815

816

pubkey_deinit = _library.gnutls_pubkey_deinit

817

pubkey_deinit.argtypes = [pubkey_t]

818

pubkey_deinit.restype = None

819

else:

820

# All the function declarations below are from

821

# gnutls/openpgp.h

822

823

openpgp_crt_init = _library.gnutls_openpgp_crt_init

824

openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]

825

openpgp_crt_init.restype = _error_code

826

827

openpgp_crt_import = _library.gnutls_openpgp_crt_import

828

openpgp_crt_import.argtypes = [openpgp_crt_t,

829

ctypes.POINTER(datum_t),

830

openpgp_crt_fmt_t]

831

openpgp_crt_import.restype = _error_code

832

833

openpgp_crt_verify_self = \

834

_library.gnutls_openpgp_crt_verify_self

835

openpgp_crt_verify_self.argtypes = [

836

openpgp_crt_t,

837

ctypes.c_uint,

838

ctypes.POINTER(ctypes.c_uint),

839

]

840

openpgp_crt_verify_self.restype = _error_code

841

842

openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit

843

openpgp_crt_deinit.argtypes = [openpgp_crt_t]

844

openpgp_crt_deinit.restype = None

845

846

openpgp_crt_get_fingerprint = (

847

_library.gnutls_openpgp_crt_get_fingerprint)

848

openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,

849

ctypes.c_void_p,

850

ctypes.POINTER(

851

ctypes.c_size_t)]

852

openpgp_crt_get_fingerprint.restype = _error_code

853

854

if check_version(b"3.6.4"):

855

certificate_type_get2 = _library.gnutls_certificate_type_get2

856

certificate_type_get2.argtypes = [ClientSession, ctypes.c_int]

857

certificate_type_get2.restype = _error_code

733

# All the function declarations below are from gnutls/openpgp.h

734

735

openpgp_crt_init = _library.gnutls_openpgp_crt_init

736

openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]

737

openpgp_crt_init.restype = _error_code

738

739

openpgp_crt_import = _library.gnutls_openpgp_crt_import

740

openpgp_crt_import.argtypes = [openpgp_crt_t,

741

ctypes.POINTER(datum_t),

742

openpgp_crt_fmt_t]

743

openpgp_crt_import.restype = _error_code

744

745

openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self

746

openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,

747

ctypes.POINTER(ctypes.c_uint)]

748

openpgp_crt_verify_self.restype = _error_code

749

750

openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit

751

openpgp_crt_deinit.argtypes = [openpgp_crt_t]

752

openpgp_crt_deinit.restype = None

753

754

openpgp_crt_get_fingerprint = (

755

_library.gnutls_openpgp_crt_get_fingerprint)

756

openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,

757

ctypes.c_void_p,

758

ctypes.POINTER(

759

ctypes.c_size_t)]

760

openpgp_crt_get_fingerprint.restype = _error_code

858

761

859

762

# Remove non-public functions

860

763

del _error_code, _retry_on_error

764

# Create the global "gnutls" object, simulating a module

765

gnutls = GnuTLS()

861

766

862

767

863

768

def call_pipe(connection, # : multiprocessing.Connection

871

776

connection.close()

872

777

873

778

874

class Client:

779

class Client(object):

875

780

"""A representation of a client host served by this server.

876

781

877

782

Attributes:

878

approved: bool(); None if not yet approved/disapproved

783

approved: bool(); 'None' if not yet approved/disapproved

879

784

approval_delay: datetime.timedelta(); Time to wait for approval

880

785

approval_duration: datetime.timedelta(); Duration of one approval

881

checker: multiprocessing.Process(); a running checker process used

882

to see if the client lives. None if no process is

883

running.

786

checker: subprocess.Popen(); a running checker process used

787

to see if the client lives.

788

'None' if no process is running.

884

789

checker_callback_tag: a GLib event source tag, or None

885

790

checker_command: string; External command which is run to check

886

791

if client lives. %() expansions are done at

894

799

disable_initiator_tag: a GLib event source tag, or None

895

800

enabled: bool()

896

801

fingerprint: string (40 or 32 hexadecimal digits); used to

897

uniquely identify an OpenPGP client

898

key_id: string (64 hexadecimal digits); used to uniquely identify

899

a client using raw public keys

802

uniquely identify the client

900

803

host: string; available for use by the checker command

901

804

interval: datetime.timedelta(); How often to start a new checker

902

805

last_approval_request: datetime.datetime(); (UTC) or None

920

823

"""

921

824

922

825

runtime_expansions = ("approval_delay", "approval_duration",

923

"created", "enabled", "expires", "key_id",

826

"created", "enabled", "expires",

924

827

"fingerprint", "host", "interval",

925

828

"last_approval_request", "last_checked_ok",

926

829

"last_enabled", "name", "timeout")

956

859

client["enabled"] = config.getboolean(client_name,

957

860

"enabled")

958

861

959

# Uppercase and remove spaces from key_id and fingerprint

960

# for later comparison purposes with return value from the

961

# key_id() and fingerprint() functions

962

client["key_id"] = (section.get("key_id", "").upper()

963

.replace(" ", ""))

862

# Uppercase and remove spaces from fingerprint for later

863

# comparison purposes with return value from the

864

# fingerprint() function

964

865

client["fingerprint"] = (section["fingerprint"].upper()

965

866

.replace(" ", ""))

966

867

if "secret" in section:

1009

910

self.last_enabled = None

1010

911

self.expires = None

1011

912

1012

log.debug("Creating client %r", self.name)

1013

log.debug(" Key ID: %s", self.key_id)

1014

log.debug(" Fingerprint: %s", self.fingerprint)

913

logger.debug("Creating client %r", self.name)

914

logger.debug(" Fingerprint: %s", self.fingerprint)

1015

915

self.created = settings.get("created",

1016

916

datetime.datetime.utcnow())

1017

917

1056

956

if not getattr(self, "enabled", False):

1057

957

return False

1058

958

if not quiet:

1059

log.info("Disabling client %s", self.name)

959

logger.info("Disabling client %s", self.name)

1060

960

if getattr(self, "disable_initiator_tag", None) is not None:

1061

961

GLib.source_remove(self.disable_initiator_tag)

1062

962

self.disable_initiator_tag = None

1080

980

if self.checker_initiator_tag is not None:

1081

981

GLib.source_remove(self.checker_initiator_tag)

1082

982

self.checker_initiator_tag = GLib.timeout_add(

1083

random.randrange(int(self.interval.total_seconds() * 1000

1084

+ 1)),

983

int(self.interval.total_seconds() * 1000),

1085

984

self.start_checker)

1086

985

# Schedule a disable() when 'timeout' has passed

1087

986

if self.disable_initiator_tag is not None:

1094

993

def checker_callback(self, source, condition, connection,

1095

994

command):

1096

995

"""The checker has completed, so take appropriate actions."""

996

self.checker_callback_tag = None

997

self.checker = None

1097

998

# Read return code from connection (see call_pipe)

1098

999

returncode = connection.recv()

1099

1000

connection.close()

1100

if self.checker is not None:

1101

self.checker.join()

1102

self.checker_callback_tag = None

1103

self.checker = None

1104

1001

1105

1002

if returncode >= 0:

1106

1003

self.last_checker_status = returncode

1107

1004

self.last_checker_signal = None

1108

1005

if self.last_checker_status == 0:

1109

log.info("Checker for %(name)s succeeded", vars(self))

1006

logger.info("Checker for %(name)s succeeded",

1007

vars(self))

1110

1008

self.checked_ok()

1111

1009

else:

1112

log.info("Checker for %(name)s failed", vars(self))

1010

logger.info("Checker for %(name)s failed", vars(self))

1113

1011

else:

1114

1012

self.last_checker_status = -1

1115

1013

self.last_checker_signal = -returncode

1116

log.warning("Checker for %(name)s crashed?", vars(self))

1014

logger.warning("Checker for %(name)s crashed?",

1015

vars(self))

1117

1016

return False

1118

1017

1119

1018

def checked_ok(self):

1153

1052

# should be.

1154

1053

1155

1054

if self.checker is not None and not self.checker.is_alive():

1156

log.warning("Checker was not alive; joining")

1055

logger.warning("Checker was not alive; joining")

1157

1056

self.checker.join()

1158

1057

self.checker = None

1159

1058

# Start a new checker if needed

1160

1059

if self.checker is None:

1161

1060

# Escape attributes for the shell

1162

1061

escaped_attrs = {

1163

attr: shlex.quote(str(getattr(self, attr)))

1062

attr: re.escape(str(getattr(self, attr)))

1164

1063

for attr in self.runtime_expansions}

1165

1064

try:

1166

1065

command = self.checker_command % escaped_attrs

1167

1066

except TypeError as error:

1168

log.error('Could not format string "%s"',

1169

self.checker_command, exc_info=error)

1067

logger.error('Could not format string "%s"',

1068

self.checker_command,

1069

exc_info=error)

1170

1070

return True # Try again later

1171

1071

self.current_checker_command = command

1172

log.info("Starting checker %r for %s", command, self.name)

1072

logger.info("Starting checker %r for %s", command,

1073

self.name)

1173

1074

# We don't need to redirect stdout and stderr, since

1174

1075

# in normal mode, that is already done by daemon(),

1175

1076

# and in debug mode we don't want to. (Stdin is

1191

1092

kwargs=popen_args)

1192

1093

self.checker.start()

1193

1094

self.checker_callback_tag = GLib.io_add_watch(

1194

GLib.IOChannel.unix_new(pipe[0].fileno()),

1195

GLib.PRIORITY_DEFAULT, GLib.IO_IN,

1095

pipe[0].fileno(), GLib.IO_IN,

1196

1096

self.checker_callback, pipe[0], command)

1197

1097

# Re-run this periodically if run by GLib.timeout_add

1198

1098

return True

1204

1104

self.checker_callback_tag = None

1205

1105

if getattr(self, "checker", None) is None:

1206

1106

return

1207

log.debug("Stopping checker for %(name)s", vars(self))

1107

logger.debug("Stopping checker for %(name)s", vars(self))

1208

1108

self.checker.terminate()

1209

1109

self.checker = None

1210

1110

1237

1137

func._dbus_name = func.__name__

1238

1138

if func._dbus_name.endswith("_dbus_property"):

1239

1139

func._dbus_name = func._dbus_name[:-14]

1240

func._dbus_get_args_options = {"byte_arrays": byte_arrays}

1140

func._dbus_get_args_options = {'byte_arrays': byte_arrays}

1241

1141

return func

1242

1142

1243

1143

return decorator

1332

1232

1333

1233

@dbus.service.method(dbus.INTROSPECTABLE_IFACE,

1334

1234

out_signature="s",

1335

path_keyword="object_path",

1336

connection_keyword="connection")

1235

path_keyword='object_path',

1236

connection_keyword='connection')

1337

1237

def Introspect(self, object_path, connection):

1338

1238

"""Overloading of standard D-Bus method.

1339

1239

1388

1288

document.unlink()

1389

1289

except (AttributeError, xml.dom.DOMException,

1390

1290

xml.parsers.expat.ExpatError) as error:

1391

log.error("Failed to override Introspection method",

1392

exc_info=error)

1291

logger.error("Failed to override Introspection method",

1292

exc_info=error)

1393

1293

return xmlstring

1394

1294

1395

1295

1453

1353

raise ValueError("Byte arrays not supported for non-"

1454

1354

"'ay' signature {!r}"

1455

1355

.format(prop._dbus_signature))

1456

value = dbus.ByteArray(bytes(value))

1356

value = dbus.ByteArray(b''.join(chr(byte)

1357

for byte in value))

1457

1358

prop(value)

1458

1359

1459

1360

@dbus.service.method(dbus.PROPERTIES_IFACE,

1492

1393

1493

1394

@dbus.service.method(dbus.INTROSPECTABLE_IFACE,

1494

1395

out_signature="s",

1495

path_keyword="object_path",

1496

connection_keyword="connection")

1396

path_keyword='object_path',

1397

connection_keyword='connection')

1497

1398

def Introspect(self, object_path, connection):

1498

1399

"""Overloading of standard D-Bus method.

1499

1400

1555

1456

document.unlink()

1556

1457

except (AttributeError, xml.dom.DOMException,

1557

1458

xml.parsers.expat.ExpatError) as error:

1558

log.error("Failed to override Introspection method",

1559

exc_info=error)

1459

logger.error("Failed to override Introspection method",

1460

exc_info=error)

1560

1461

return xmlstring

1561

1462

1562

1463

1594

1495

1595

1496

@dbus.service.method(dbus.INTROSPECTABLE_IFACE,

1596

1497

out_signature="s",

1597

path_keyword="object_path",

1598

connection_keyword="connection")

1498

path_keyword='object_path',

1499

connection_keyword='connection')

1599

1500

def Introspect(self, object_path, connection):

1600

1501

"""Overloading of standard D-Bus method.

1601

1502

1626

1527

document.unlink()

1627

1528

except (AttributeError, xml.dom.DOMException,

1628

1529

xml.parsers.expat.ExpatError) as error:

1629

log.error("Failed to override Introspection method",

1630

exc_info=error)

1530

logger.error("Failed to override Introspection method",

1531

exc_info=error)

1631

1532

return xmlstring

1632

1533

1633

1534

2097

1998

def Name_dbus_property(self):

2098

1999

return dbus.String(self.name)

2099

2000

2100

# KeyID - property

2101

@dbus_annotations(

2102

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

2103

@dbus_service_property(_interface, signature="s", access="read")

2104

def KeyID_dbus_property(self):

2105

return dbus.String(self.key_id)

2106

2107

2001

# Fingerprint - property

2108

2002

@dbus_annotations(

2109

2003

{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})

2264

2158

del _interface

2265

2159

2266

2160

2267

class ProxyClient:

2268

def __init__(self, child_pipe, key_id, fpr, address):

2161

class ProxyClient(object):

2162

def __init__(self, child_pipe, fpr, address):

2269

2163

self._pipe = child_pipe

2270

self._pipe.send(("init", key_id, fpr, address))

2164

self._pipe.send(('init', fpr, address))

2271

2165

if not self._pipe.recv():

2272

raise KeyError(key_id or fpr)

2166

raise KeyError(fpr)

2273

2167

2274

2168

def __getattribute__(self, name):

2275

if name == "_pipe":

2169

if name == '_pipe':

2276

2170

return super(ProxyClient, self).__getattribute__(name)

2277

self._pipe.send(("getattr", name))

2171

self._pipe.send(('getattr', name))

2278

2172

data = self._pipe.recv()

2279

if data[0] == "data":

2173

if data[0] == 'data':

2280

2174

return data[1]

2281

if data[0] == "function":

2175

if data[0] == 'function':

2282

2176

2283

2177

def func(*args, **kwargs):

2284

self._pipe.send(("funcall", name, args, kwargs))

2178

self._pipe.send(('funcall', name, args, kwargs))

2285

2179

return self._pipe.recv()[1]

2286

2180

2287

2181

return func

2288

2182

2289

2183

def __setattr__(self, name, value):

2290

if name == "_pipe":

2184

if name == '_pipe':

2291

2185

return super(ProxyClient, self).__setattr__(name, value)

2292

self._pipe.send(("setattr", name, value))

2186

self._pipe.send(('setattr', name, value))

2293

2187

2294

2188

2295

2189

class ClientHandler(socketserver.BaseRequestHandler, object):

2300

2194

2301

2195

def handle(self):

2302

2196

with contextlib.closing(self.server.child_pipe) as child_pipe:

2303

log.info("TCP connection from: %s",

2304

str(self.client_address))

2305

log.debug("Pipe FD: %d", self.server.child_pipe.fileno())

2197

logger.info("TCP connection from: %s",

2198

str(self.client_address))

2199

logger.debug("Pipe FD: %d",

2200

self.server.child_pipe.fileno())

2306

2201

2307

2202

session = gnutls.ClientSession(self.request)

2308

2203

2309

# priority = ":".join(("NONE", "+VERS-TLS1.1",

2204

# priority = ':'.join(("NONE", "+VERS-TLS1.1",

2310

2205

# "+AES-256-CBC", "+SHA1",

2311

2206

# "+COMP-NULL", "+CTYPE-OPENPGP",

2312

2207

# "+DHE-DSS"))

2314

2209

priority = self.server.gnutls_priority

2315

2210

if priority is None:

2316

2211

priority = "NORMAL"

2317

gnutls.priority_set_direct(session,

2318

priority.encode("utf-8"), None)

2212

gnutls.priority_set_direct(session._c_object,

2213

priority.encode("utf-8"),

2214

None)

2319

2215

2320

2216

# Start communication using the Mandos protocol

2321

2217

# Get protocol number

2322

2218

line = self.request.makefile().readline()

2323

log.debug("Protocol version: %r", line)

2219

logger.debug("Protocol version: %r", line)

2324

2220

try:

2325

2221

if int(line.strip().split()[0]) > 1:

2326

2222

raise RuntimeError(line)

2327

2223

except (ValueError, IndexError, RuntimeError) as error:

2328

log.error("Unknown protocol version: %s", error)

2224

logger.error("Unknown protocol version: %s", error)

2329

2225

return

2330

2226

2331

2227

# Start GnuTLS connection

2332

2228

try:

2333

2229

session.handshake()

2334

2230

except gnutls.Error as error:

2335

log.warning("Handshake failed: %s", error)

2231

logger.warning("Handshake failed: %s", error)

2336

2232

# Do not run session.bye() here: the session is not

2337

2233

# established. Just abandon the request.

2338

2234

return

2339

log.debug("Handshake succeeded")

2235

logger.debug("Handshake succeeded")

2340

2236

2341

2237

approval_required = False

2342

2238

try:

2343

if gnutls.has_rawpk:

2344

fpr = b""

2345

try:

2346

key_id = self.key_id(

2347

self.peer_certificate(session))

2348

except (TypeError, gnutls.Error) as error:

2349

log.warning("Bad certificate: %s", error)

2350

return

2351

log.debug("Key ID: %s",

2352

key_id.decode("utf-8",

2353

errors="replace"))

2354

2355

else:

2356

key_id = b""

2357

try:

2358

fpr = self.fingerprint(

2359

self.peer_certificate(session))

2360

except (TypeError, gnutls.Error) as error:

2361

log.warning("Bad certificate: %s", error)

2362

return

2363

log.debug("Fingerprint: %s", fpr)

2364

2365

try:

2366

client = ProxyClient(child_pipe, key_id, fpr,

2239

try:

2240

fpr = self.fingerprint(

2241

self.peer_certificate(session))

2242

except (TypeError, gnutls.Error) as error:

2243

logger.warning("Bad certificate: %s", error)

2244

return

2245

logger.debug("Fingerprint: %s", fpr)

2246

2247

try:

2248

client = ProxyClient(child_pipe, fpr,

2367

2249

self.client_address)

2368

2250

except KeyError:

2369

2251

return

2375

2257

2376

2258

while True:

2377

2259

if not client.enabled:

2378

log.info("Client %s is disabled", client.name)

2260

logger.info("Client %s is disabled",

2261

client.name)

2379

2262

if self.server.use_dbus:

2380

2263

# Emit D-Bus signal

2381

2264

client.Rejected("Disabled")

2385

2268

# We are approved or approval is disabled

2386

2269

break

2387

2270

elif client.approved is None:

2388

log.info("Client %s needs approval",

2389

client.name)

2271

logger.info("Client %s needs approval",

2272

client.name)

2390

2273

if self.server.use_dbus:

2391

2274

# Emit D-Bus signal

2392

2275

client.NeedApproval(

2393

2276

client.approval_delay.total_seconds()

2394

2277

* 1000, client.approved_by_default)

2395

2278

else:

2396

log.warning("Client %s was not approved",

2397

client.name)

2279

logger.warning("Client %s was not approved",

2280

client.name)

2398

2281

if self.server.use_dbus:

2399

2282

# Emit D-Bus signal

2400

2283

client.Rejected("Denied")

2408

2291

time2 = datetime.datetime.now()

2409

2292

if (time2 - time) >= delay:

2410

2293

if not client.approved_by_default:

2411

log.warning("Client %s timed out while"

2412

" waiting for approval",

2413

client.name)

2294

logger.warning("Client %s timed out while"

2295

" waiting for approval",

2296

client.name)

2414

2297

if self.server.use_dbus:

2415

2298

# Emit D-Bus signal

2416

2299

client.Rejected("Approval timed out")

2423

2306

try:

2424

2307

session.send(client.secret)

2425

2308

except gnutls.Error as error:

2426

log.warning("gnutls send failed", exc_info=error)

2309

logger.warning("gnutls send failed",

2310

exc_info=error)

2427

2311

return

2428

2312

2429

log.info("Sending secret to %s", client.name)

2313

logger.info("Sending secret to %s", client.name)

2430

2314

# bump the timeout using extended_timeout

2431

2315

client.bump_timeout(client.extended_timeout)

2432

2316

if self.server.use_dbus:

2439

2323

try:

2440

2324

session.bye()

2441

2325

except gnutls.Error as error:

2442

log.warning("GnuTLS bye failed", exc_info=error)

2326

logger.warning("GnuTLS bye failed",

2327

exc_info=error)

2443

2328

2444

2329

@staticmethod

2445

2330

def peer_certificate(session):

2446

"Return the peer's certificate as a bytestring"

2447

try:

2448

cert_type = gnutls.certificate_type_get2(

2449

session, gnutls.CTYPE_PEERS)

2450

except AttributeError:

2451

cert_type = gnutls.certificate_type_get(session)

2452

if gnutls.has_rawpk:

2453

valid_cert_types = frozenset((gnutls.CRT_RAWPK,))

2454

else:

2455

valid_cert_types = frozenset((gnutls.CRT_OPENPGP,))

2456

# If not a valid certificate type...

2457

if cert_type not in valid_cert_types:

2458

log.info("Cert type %r not in %r", cert_type,

2459

valid_cert_types)

2331

"Return the peer's OpenPGP certificate as a bytestring"

2332

# If not an OpenPGP certificate...

2333

if (gnutls.certificate_type_get(session._c_object)

2334

!= gnutls.CRT_OPENPGP):

2460

2335

# ...return invalid data

2461

2336

return b""

2462

2337

list_size = ctypes.c_uint(1)

2463

2338

cert_list = (gnutls.certificate_get_peers

2464

(session, ctypes.byref(list_size)))

2339

(session._c_object, ctypes.byref(list_size)))

2465

2340

if not bool(cert_list) and list_size.value != 0:

2466

2341

raise gnutls.Error("error getting peer certificate")

2467

2342

if list_size.value == 0:

2470

2345

return ctypes.string_at(cert.data, cert.size)

2471

2346

2472

2347

@staticmethod

2473

def key_id(certificate):

2474

"Convert a certificate bytestring to a hexdigit key ID"

2475

# New GnuTLS "datum" with the public key

2476

datum = gnutls.datum_t(

2477

ctypes.cast(ctypes.c_char_p(certificate),

2478

ctypes.POINTER(ctypes.c_ubyte)),

2479

ctypes.c_uint(len(certificate)))

2480

# XXX all these need to be created in the gnutls "module"

2481

# New empty GnuTLS certificate

2482

pubkey = gnutls.pubkey_t()

2483

gnutls.pubkey_init(ctypes.byref(pubkey))

2484

# Import the raw public key into the certificate

2485

gnutls.pubkey_import(pubkey,

2486

ctypes.byref(datum),

2487

gnutls.X509_FMT_DER)

2488

# New buffer for the key ID

2489

buf = ctypes.create_string_buffer(32)

2490

buf_len = ctypes.c_size_t(len(buf))

2491

# Get the key ID from the raw public key into the buffer

2492

gnutls.pubkey_get_key_id(

2493

pubkey,

2494

gnutls.KEYID_USE_SHA256,

2495

ctypes.cast(ctypes.byref(buf),

2496

ctypes.POINTER(ctypes.c_ubyte)),

2497

ctypes.byref(buf_len))

2498

# Deinit the certificate

2499

gnutls.pubkey_deinit(pubkey)

2500

2501

# Convert the buffer to a Python bytestring

2502

key_id = ctypes.string_at(buf, buf_len.value)

2503

# Convert the bytestring to hexadecimal notation

2504

hex_key_id = binascii.hexlify(key_id).upper()

2505

return hex_key_id

2506

2507

@staticmethod

2508

2348

def fingerprint(openpgp):

2509

2349

"Convert an OpenPGP bytestring to a hexdigit fingerprint"

2510

2350

# New GnuTLS "datum" with the OpenPGP public key

2524

2364

ctypes.byref(crtverify))

2525

2365

if crtverify.value != 0:

2526

2366

gnutls.openpgp_crt_deinit(crt)

2527

raise gnutls.CertificateSecurityError(code

2528

=crtverify.value)

2367

raise gnutls.CertificateSecurityError("Verify failed")

2529

2368

# New buffer for the fingerprint

2530

2369

buf = ctypes.create_string_buffer(20)

2531

2370

buf_len = ctypes.c_size_t()

2541

2380

return hex_fpr

2542

2381

2543

2382

2544

class MultiprocessingMixIn:

2383

class MultiprocessingMixIn(object):

2545

2384

"""Like socketserver.ThreadingMixIn, but with multiprocessing"""

2546

2385

2547

2386

def sub_process_main(self, request, address):

2559

2398

return proc

2560

2399

2561

2400

2562

class MultiprocessingMixInWithPipe(MultiprocessingMixIn):

2401

class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):

2563

2402

""" adds a pipe to the MixIn """

2564

2403

2565

2404

def process_request(self, request, client_address):

2580

2419

2581

2420

2582

2421

class IPv6_TCPServer(MultiprocessingMixInWithPipe,

2583

socketserver.TCPServer):

2584

"""IPv6-capable TCP server. Accepts None as address and/or port

2422

socketserver.TCPServer, object):

2423

"""IPv6-capable TCP server. Accepts 'None' as address and/or port

2585

2424

2586

2425

Attributes:

2587

2426

enabled: Boolean; whether this server is activated yet

2638

2477

if SO_BINDTODEVICE is None:

2639

2478

# Fall back to a hard-coded value which seems to be

2640

2479

# common enough.

2641

log.warning("SO_BINDTODEVICE not found, trying 25")

2480

logger.warning("SO_BINDTODEVICE not found, trying 25")

2642

2481

SO_BINDTODEVICE = 25

2643

2482

try:

2644

2483

self.socket.setsockopt(

2646

2485

(self.interface + "\0").encode("utf-8"))

2647

2486

except socket.error as error:

2648

2487

if error.errno == errno.EPERM:

2649

log.error("No permission to bind to interface %s",

2650

self.interface)

2488

logger.error("No permission to bind to"

2489

" interface %s", self.interface)

2651

2490

elif error.errno == errno.ENOPROTOOPT:

2652

log.error("SO_BINDTODEVICE not available; cannot"

2653

" bind to interface %s", self.interface)

2491

logger.error("SO_BINDTODEVICE not available;"

2492

" cannot bind to interface %s",

2493

self.interface)

2654

2494

elif error.errno == errno.ENODEV:

2655

log.error("Interface %s does not exist, cannot"

2656

" bind", self.interface)

2495

logger.error("Interface %s does not exist,"

2496

" cannot bind", self.interface)

2657

2497

else:

2658

2498

raise

2659

2499

# Only bind(2) the socket if we really need to.

2660

2500

if self.server_address[0] or self.server_address[1]:

2661

if self.server_address[1]:

2662

self.allow_reuse_address = True

2663

2501

if not self.server_address[0]:

2664

2502

if self.address_family == socket.AF_INET6:

2665

2503

any_address = "::" # in6addr_any

2718

2556

def add_pipe(self, parent_pipe, proc):

2719

2557

# Call "handle_ipc" for both data and EOF events

2720

2558

GLib.io_add_watch(

2721

GLib.IOChannel.unix_new(parent_pipe.fileno()),

2722

GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,

2559

parent_pipe.fileno(),

2560

GLib.IO_IN | GLib.IO_HUP,

2723

2561

functools.partial(self.handle_ipc,

2724

2562

parent_pipe=parent_pipe,

2725

2563

proc=proc))

2738

2576

request = parent_pipe.recv()

2739

2577

command = request[0]

2740

2578

2741

if command == "init":

2742

key_id = request[1].decode("ascii")

2743

fpr = request[2].decode("ascii")

2744

address = request[3]

2579

if command == 'init':

2580

fpr = request[1]

2581

address = request[2]

2745

2582

2746

2583

for c in self.clients.values():

2747

if key_id == ("E3B0C44298FC1C149AFBF4C8996FB924"

2748

"27AE41E4649B934CA495991B7852B855"):

2749

continue

2750

if key_id and c.key_id == key_id:

2751

client = c

2752

break

2753

if fpr and c.fingerprint == fpr:

2584

if c.fingerprint == fpr:

2754

2585

client = c

2755

2586

break

2756

2587

else:

2757

log.info("Client not found for key ID: %s, address:"

2758

" %s", key_id or fpr, address)

2588

logger.info("Client not found for fingerprint: %s, ad"

2589

"dress: %s", fpr, address)

2759

2590

if self.use_dbus:

2760

2591

# Emit D-Bus signal

2761

mandos_dbus_service.ClientNotFound(key_id or fpr,

2592

mandos_dbus_service.ClientNotFound(fpr,

2762

2593

address[0])

2763

2594

parent_pipe.send(False)

2764

2595

return False

2765

2596

2766

2597

GLib.io_add_watch(

2767

GLib.IOChannel.unix_new(parent_pipe.fileno()),

2768

GLib.PRIORITY_DEFAULT, GLib.IO_IN | GLib.IO_HUP,

2598

parent_pipe.fileno(),

2599

GLib.IO_IN | GLib.IO_HUP,

2769

2600

functools.partial(self.handle_ipc,

2770

2601

parent_pipe=parent_pipe,

2771

2602

proc=proc,

2774

2605

# remove the old hook in favor of the new above hook on

2775

2606

# same fileno

2776

2607

return False

2777

if command == "funcall":

2608

if command == 'funcall':

2778

2609

funcname = request[1]

2779

2610

args = request[2]

2780

2611

kwargs = request[3]

2781

2612

2782

parent_pipe.send(("data", getattr(client_object,

2613

parent_pipe.send(('data', getattr(client_object,

2783

2614

funcname)(*args,

2784

2615

**kwargs)))

2785

2616

2786

if command == "getattr":

2617

if command == 'getattr':

2787

2618

attrname = request[1]

2788

2619

if isinstance(client_object.__getattribute__(attrname),

2789

collections.abc.Callable):

2790

parent_pipe.send(("function", ))

2620

collections.Callable):

2621

parent_pipe.send(('function', ))

2791

2622

else:

2792

2623

parent_pipe.send((

2793

"data", client_object.__getattribute__(attrname)))

2624

'data', client_object.__getattribute__(attrname)))

2794

2625

2795

if command == "setattr":

2626

if command == 'setattr':

2796

2627

attrname = request[1]

2797

2628

value = request[2]

2798

2629

setattr(client_object, attrname, value)

2803

2634

def rfc3339_duration_to_delta(duration):

2804

2635

"""Parse an RFC 3339 "duration" and return a datetime.timedelta

2805

2636

2806

>>> timedelta = datetime.timedelta

2807

>>> rfc3339_duration_to_delta("P7D") == timedelta(7)

2808

True

2809

>>> rfc3339_duration_to_delta("PT60S") == timedelta(0, 60)

2810

True

2811

>>> rfc3339_duration_to_delta("PT60M") == timedelta(0, 3600)

2812

True

2813

>>> rfc3339_duration_to_delta("PT24H") == timedelta(1)

2814

True

2815

>>> rfc3339_duration_to_delta("P1W") == timedelta(7)

2816

True

2817

>>> rfc3339_duration_to_delta("PT5M30S") == timedelta(0, 330)

2818

True

2819

>>> rfc3339_duration_to_delta("P1DT3M20S") == timedelta(1, 200)

2820

True

2821

>>> del timedelta

2637

>>> rfc3339_duration_to_delta("P7D")

2638

datetime.timedelta(7)

2639

>>> rfc3339_duration_to_delta("PT60S")

2640

datetime.timedelta(0, 60)

2641

>>> rfc3339_duration_to_delta("PT60M")

2642

datetime.timedelta(0, 3600)

2643

>>> rfc3339_duration_to_delta("PT24H")

2644

datetime.timedelta(1)

2645

>>> rfc3339_duration_to_delta("P1W")

2646

datetime.timedelta(7)

2647

>>> rfc3339_duration_to_delta("PT5M30S")

2648

datetime.timedelta(0, 330)

2649

>>> rfc3339_duration_to_delta("P1DT3M20S")

2650

datetime.timedelta(1, 200)

2822

2651

"""

2823

2652

2824

2653

# Parsing an RFC 3339 duration with regular expressions is not

2904

2733

def string_to_delta(interval):

2905

2734

"""Parse a string and return a datetime.timedelta

2906

2735

2907

>>> string_to_delta("7d") == datetime.timedelta(7)

2908

True

2909

>>> string_to_delta("60s") == datetime.timedelta(0, 60)

2910

True

2911

>>> string_to_delta("60m") == datetime.timedelta(0, 3600)

2912

True

2913

>>> string_to_delta("24h") == datetime.timedelta(1)

2914

True

2915

>>> string_to_delta("1w") == datetime.timedelta(7)

2916

True

2917

>>> string_to_delta("5m 30s") == datetime.timedelta(0, 330)

2918

True

2736

>>> string_to_delta('7d')

2737

datetime.timedelta(7)

2738

>>> string_to_delta('60s')

2739

datetime.timedelta(0, 60)

2740

>>> string_to_delta('60m')

2741

datetime.timedelta(0, 3600)

2742

>>> string_to_delta('24h')

2743

datetime.timedelta(1)

2744

>>> string_to_delta('1w')

2745

datetime.timedelta(7)

2746

>>> string_to_delta('5m 30s')

2747

datetime.timedelta(0, 330)

2919

2748

"""

2920

2749

2921

2750

try:

3023

2852

3024

2853

options = parser.parse_args()

3025

2854

2855

if options.check:

2856

import doctest

2857

fail_count, test_count = doctest.testmod()

2858

sys.exit(os.EX_OK if fail_count == 0 else 1)

2859

3026

2860

# Default values for config file for server-global settings

3027

if gnutls.has_rawpk:

3028

priority = ("SECURE128:!CTYPE-X.509:+CTYPE-RAWPK:!RSA"

3029

":!VERS-ALL:+VERS-TLS1.3:%PROFILE_ULTRA")

3030

else:

3031

priority = ("SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"

3032

":+SIGN-DSA-SHA256")

3033

2861

server_defaults = {"interface": "",

3034

2862

"address": "",

3035

2863

"port": "",

3036

2864

"debug": "False",

3037

"priority": priority,

2865

"priority":

2866

"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"

2867

":+SIGN-DSA-SHA256",

3038

2868

"servicename": "Mandos",

3039

2869

"use_dbus": "True",

3040

2870

"use_ipv6": "True",

3045

2875

"foreground": "False",

3046

2876

"zeroconf": "True",

3047

2877

}

3048

del priority

3049

2878

3050

2879

# Parse config file for server-global settings

3051

server_config = configparser.ConfigParser(server_defaults)

2880

server_config = configparser.SafeConfigParser(server_defaults)

3052

2881

del server_defaults

3053

2882

server_config.read(os.path.join(options.configdir, "mandos.conf"))

3054

# Convert the ConfigParser object to a dict

2883

# Convert the SafeConfigParser object to a dict

3055

2884

server_settings = server_config.defaults()

3056

2885

# Use the appropriate methods on the non-string config options

3057

for option in ("debug", "use_dbus", "use_ipv6", "restore",

3058

"foreground", "zeroconf"):

2886

for option in ("debug", "use_dbus", "use_ipv6", "foreground"):

3059

2887

server_settings[option] = server_config.getboolean("DEFAULT",

3060

2888

option)

3061

2889

if server_settings["port"]:

3124

2952

3125

2953

if server_settings["servicename"] != "Mandos":

3126

2954

syslogger.setFormatter(

3127

logging.Formatter("Mandos ({}) [%(process)d]:"

3128

" %(levelname)s: %(message)s".format(

2955

logging.Formatter('Mandos ({}) [%(process)d]:'

2956

' %(levelname)s: %(message)s'.format(

3129

2957

server_settings["servicename"])))

3130

2958

3131

2959

# Parse config file with clients

3132

client_config = configparser.ConfigParser(Client.client_defaults)

2960

client_config = configparser.SafeConfigParser(Client

2961

.client_defaults)

3133

2962

client_config.read(os.path.join(server_settings["configdir"],

3134

2963

"clients.conf"))

3135

2964

3155

2984

try:

3156

2985

pidfile = codecs.open(pidfilename, "w", encoding="utf-8")

3157

2986

except IOError as e:

3158

log.error("Could not open file %r", pidfilename,

3159

exc_info=e)

2987

logger.error("Could not open file %r", pidfilename,

2988

exc_info=e)

3160

2989

3161

2990

for name, group in (("_mandos", "_mandos"),

3162

2991

("mandos", "mandos"),

3173

3002

try:

3174

3003

os.setgid(gid)

3175

3004

os.setuid(uid)

3176

log.debug("Did setuid/setgid to %s:%s", uid, gid)

3005

if debug:

3006

logger.debug("Did setuid/setgid to {}:{}".format(uid,

3007

gid))

3177

3008

except OSError as error:

3178

log.warning("Failed to setuid/setgid to %s:%s: %s", uid, gid,

3179

os.strerror(error.errno))

3009

logger.warning("Failed to setuid/setgid to {}:{}: {}"

3010

.format(uid, gid, os.strerror(error.errno)))

3180

3011

if error.errno != errno.EPERM:

3181

3012

raise

3182

3013

3189

3020

3190

3021

@gnutls.log_func

3191

3022

def debug_gnutls(level, string):

3192

log.debug("GnuTLS: %s",

3193

string[:-1].decode("utf-8", errors="replace"))

3023

logger.debug("GnuTLS: %s", string[:-1])

3194

3024

3195

3025

gnutls.global_set_log_function(debug_gnutls)

3196

3026

3205

3035

# Close all input and output, do double fork, etc.

3206

3036

daemon()

3207

3037

3208

if gi.version_info < (3, 10, 2):

3209

# multiprocessing will use threads, so before we use GLib we

3210

# need to inform GLib that threads will be used.

3211

GLib.threads_init()

3038

# multiprocessing will use threads, so before we use GLib we need

3039

# to inform GLib that threads will be used.

3040

GLib.threads_init()

3212

3041

3213

3042

global main_loop

3214

3043

# From the Avahi example code

3225

3054

"se.bsnet.fukt.Mandos", bus,

3226

3055

do_not_queue=True)

3227

3056

except dbus.exceptions.DBusException as e:

3228

log.error("Disabling D-Bus:", exc_info=e)

3057

logger.error("Disabling D-Bus:", exc_info=e)

3229

3058

use_dbus = False

3230

3059

server_settings["use_dbus"] = False

3231

3060

tcp_server.use_dbus = False

3290

3119

if isinstance(s, bytes)

3291

3120

else s) for s in

3292

3121

value["client_structure"]]

3293

# .name, .host, and .checker_command

3294

for k in ("name", "host", "checker_command"):

3122

# .name & .host

3123

for k in ("name", "host"):

3295

3124

if isinstance(value[k], bytes):

3296

3125

value[k] = value[k].decode("utf-8")

3297

if "key_id" not in value:

3298

value["key_id"] = ""

3299

elif "fingerprint" not in value:

3300

value["fingerprint"] = ""

3301

3126

# old_client_settings

3302

3127

# .keys()

3303

3128

old_client_settings = {

3307

3132

for key, value in

3308

3133

bytes_old_client_settings.items()}

3309

3134

del bytes_old_client_settings

3310

# .host and .checker_command

3135

# .host

3311

3136

for value in old_client_settings.values():

3312

for attribute in ("host", "checker_command"):

3313

if isinstance(value[attribute], bytes):

3314

value[attribute] = (value[attribute]

3315

.decode("utf-8"))

3137

if isinstance(value["host"], bytes):

3138

value["host"] = (value["host"]

3139

.decode("utf-8"))

3316

3140

os.remove(stored_state_path)

3317

3141

except IOError as e:

3318

3142

if e.errno == errno.ENOENT:

3319

log.warning("Could not load persistent state:"

3320

" %s", os.strerror(e.errno))

3143

logger.warning("Could not load persistent state:"

3144

" {}".format(os.strerror(e.errno)))

3321

3145

else:

3322

log.critical("Could not load persistent state:",

3323

exc_info=e)

3146

logger.critical("Could not load persistent state:",

3147

exc_info=e)

3324

3148

raise

3325

3149

except EOFError as e:

3326

log.warning("Could not load persistent state: EOFError:",

3327

exc_info=e)

3150

logger.warning("Could not load persistent state: "

3151

"EOFError:",

3152

exc_info=e)

3328

3153

3329

3154

with PGPEngine() as pgp:

3330

3155

for client_name, client in clients_data.items():

3357

3182

if client["enabled"]:

3358

3183

if datetime.datetime.utcnow() >= client["expires"]:

3359

3184

if not client["last_checked_ok"]:

3360

log.warning("disabling client %s - Client"

3361

" never performed a successful"

3362

" checker", client_name)

3185

logger.warning(

3186

"disabling client {} - Client never "

3187

"performed a successful checker".format(

3188

client_name))

3363

3189

client["enabled"] = False

3364

3190

elif client["last_checker_status"] != 0:

3365

log.warning("disabling client %s - Client"

3366

" last checker failed with error"

3367

" code %s", client_name,

3368

client["last_checker_status"])

3191

logger.warning(

3192

"disabling client {} - Client last"

3193

" checker failed with error code"

3194

" {}".format(

3195

client_name,

3196

client["last_checker_status"]))

3369

3197

client["enabled"] = False

3370

3198

else:

3371

3199

client["expires"] = (

3372

3200

datetime.datetime.utcnow()

3373

3201

+ client["timeout"])

3374

log.debug("Last checker succeeded, keeping %s"

3375

" enabled", client_name)

3202

logger.debug("Last checker succeeded,"

3203

" keeping {} enabled".format(

3204

client_name))

3376

3205

try:

3377

3206

client["secret"] = pgp.decrypt(

3378

3207

client["encrypted_secret"],

3379

3208

client_settings[client_name]["secret"])

3380

3209

except PGPError:

3381

3210

# If decryption fails, we use secret from new settings

3382

log.debug("Failed to decrypt %s old secret",

3383

client_name)

3211

logger.debug("Failed to decrypt {} old secret".format(

3212

client_name))

3384

3213

client["secret"] = (client_settings[client_name]

3385

3214

["secret"])

3386

3215

3400

3229

server_settings=server_settings)

3401

3230

3402

3231

if not tcp_server.clients:

3403

log.warning("No clients defined")

3232

logger.warning("No clients defined")

3404

3233

3405

3234

if not foreground:

3406

3235

if pidfile is not None:

3409

3238

with pidfile:

3410

3239

print(pid, file=pidfile)

3411

3240

except IOError:

3412

log.error("Could not write to file %r with PID %d",

3413

pidfilename, pid)

3241

logger.error("Could not write to file %r with PID %d",

3242

pidfilename, pid)

3414

3243

del pidfile

3415

3244

del pidfilename

3416

3245

3436

3265

pass

3437

3266

3438

3267

@dbus.service.signal(_interface, signature="ss")

3439

def ClientNotFound(self, key_id, address):

3268

def ClientNotFound(self, fingerprint, address):

3440

3269

"D-Bus signal"

3441

3270

pass

3442

3271

3566

3395

3567

3396

try:

3568

3397

with tempfile.NamedTemporaryFile(

3569

mode="wb",

3398

mode='wb',

3570

3399

suffix=".pickle",

3571

prefix="clients-",

3400

prefix='clients-',

3572

3401

dir=os.path.dirname(stored_state_path),

3573

3402

delete=False) as stored_state:

3574

3403

pickle.dump((clients, client_settings), stored_state,

3582

3411

except NameError:

3583

3412

pass

3584

3413

if e.errno in (errno.ENOENT, errno.EACCES, errno.EEXIST):

3585

log.warning("Could not save persistent state: %s",

3586

os.strerror(e.errno))

3414

logger.warning("Could not save persistent state: {}"

3415

.format(os.strerror(e.errno)))

3587

3416

else:

3588

log.warning("Could not save persistent state:",

3589

exc_info=e)

3417

logger.warning("Could not save persistent state:",

3418

exc_info=e)

3590

3419

raise

3591

3420

3592

3421

# Delete all clients, and settings from config

3618

3447

if zeroconf:

3619

3448

service.port = tcp_server.socket.getsockname()[1]

3620

3449

if use_ipv6:

3621

log.info("Now listening on address %r, port %d, flowinfo %d,"

3622

" scope_id %d", *tcp_server.socket.getsockname())

3450

logger.info("Now listening on address %r, port %d,"

3451

" flowinfo %d, scope_id %d",

3452

*tcp_server.socket.getsockname())

3623

3453

else: # IPv4

3624

log.info("Now listening on address %r, port %d",

3625

*tcp_server.socket.getsockname())

3454

logger.info("Now listening on address %r, port %d",

3455

*tcp_server.socket.getsockname())

3626

3456

3627

3457

# service.interface = tcp_server.socket.getsockname()[3]

3628

3458

3632

3462

try:

3633

3463

service.activate()

3634

3464

except dbus.exceptions.DBusException as error:

3635

log.critical("D-Bus Exception", exc_info=error)

3465

logger.critical("D-Bus Exception", exc_info=error)

3636

3466

cleanup()

3637

3467

sys.exit(1)

3638

3468

# End of Avahi example code

3639

3469

3640

GLib.io_add_watch(

3641

GLib.IOChannel.unix_new(tcp_server.fileno()),

3642

GLib.PRIORITY_DEFAULT, GLib.IO_IN,

3643

lambda *args, **kwargs: (tcp_server.handle_request

3644

(*args[2:], **kwargs) or True))

3470

GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,

3471

lambda *args, **kwargs:

3472

(tcp_server.handle_request

3473

(*args[2:], **kwargs) or True))

3645

3474

3646

log.debug("Starting main loop")

3475

logger.debug("Starting main loop")

3647

3476

main_loop.run()

3648

3477

except AvahiError as error:

3649

log.critical("Avahi Error", exc_info=error)

3478

logger.critical("Avahi Error", exc_info=error)

3650

3479

cleanup()

3651

3480

sys.exit(1)

3652

3481

except KeyboardInterrupt:

3653

3482

if debug:

3654

3483

print("", file=sys.stderr)

3655

log.debug("Server received KeyboardInterrupt")

3656

log.debug("Server exiting")

3484

logger.debug("Server received KeyboardInterrupt")

3485

logger.debug("Server exiting")

3657

3486

# Must run before the D-Bus bus name gets deregistered

3658

3487

cleanup()

3659

3488

3660

3661

def parse_test_args():

3662

# type: () -> argparse.Namespace

3663

parser = argparse.ArgumentParser(add_help=False)

3664

parser.add_argument("--check", action="store_true")

3665

parser.add_argument("--prefix", )

3666

args, unknown_args = parser.parse_known_args()

3667

if args.check:

3668

# Remove test options from sys.argv

3669

sys.argv[1:] = unknown_args

3670

return args

3671

3672

# Add all tests from doctest strings

3673

def load_tests(loader, tests, none):

3674

import doctest

3675

tests.addTests(doctest.DocTestSuite())

3676

return tests

3677

3678

if __name__ == "__main__":

3679

options = parse_test_args()

3680

try:

3681

if options.check:

3682

extra_test_prefix = options.prefix

3683

if extra_test_prefix is not None:

3684

if not (unittest.main(argv=[""], exit=False)

3685

.result.wasSuccessful()):

3686

sys.exit(1)

3687

class ExtraTestLoader(unittest.TestLoader):

3688

testMethodPrefix = extra_test_prefix

3689

# Call using ./scriptname --test [--verbose]

3690

unittest.main(argv=[""], testLoader=ExtraTestLoader())

3691

else:

3692

unittest.main(argv=[""])

3693

else:

3694

main()

3695

finally:

3696

logging.shutdown()

3697

3698

# Local Variables:

3699

# run-tests:

3700

# (lambda (&optional extra)

3701

# (if (not (funcall run-tests-in-test-buffer default-directory

3702

# extra))

3703

# (funcall show-test-buffer-in-test-window)

3704

# (funcall remove-test-window)

3705

# (if extra (message "Extra tests run successfully!"))))

3706

# run-tests-in-test-buffer:

3707

# (lambda (dir &optional extra)

3708

# (with-current-buffer (get-buffer-create "*Test*")

3709

# (setq buffer-read-only nil

3710

# default-directory dir)

3711

# (erase-buffer)

3712

# (compilation-mode))

3713

# (let ((process-result

3714

# (let ((inhibit-read-only t))

3715

# (process-file-shell-command

3716

# (funcall get-command-line extra) nil "*Test*"))))

3717

# (and (numberp process-result)

3718

# (= process-result 0))))

3719

# get-command-line:

3720

# (lambda (&optional extra)

3721

# (let ((quoted-script

3722

# (shell-quote-argument (funcall get-script-name))))

3723

# (format

3724

# (concat "%s --check" (if extra " --prefix=atest" ""))

3725

# quoted-script)))

3726

# get-script-name:

3727

# (lambda ()

3728

# (if (fboundp 'file-local-name)

3729

# (file-local-name (buffer-file-name))

3730

# (or (file-remote-p (buffer-file-name) 'localname)

3731

# (buffer-file-name))))

3732

# remove-test-window:

3733

# (lambda ()

3734

# (let ((test-window (get-buffer-window "*Test*")))

3735

# (if test-window (delete-window test-window))))

3736

# show-test-buffer-in-test-window:

3737

# (lambda ()

3738

# (when (not (get-buffer-window-list "*Test*"))

3739

# (setq next-error-last-buffer (get-buffer "*Test*"))

3740

# (let* ((side (if (>= (window-width) 146) 'right 'bottom))

3741

# (display-buffer-overriding-action

3742

# `((display-buffer-in-side-window) (side . ,side)

3743

# (window-height . fit-window-to-buffer)

3744

# (window-width . fit-window-to-buffer))))

3745

# (display-buffer "*Test*"))))

3746

# eval:

3747

# (progn

3748

# (let* ((run-extra-tests (lambda () (interactive)

3749

# (funcall run-tests t)))

3750

# (inner-keymap `(keymap (116 . ,run-extra-tests))) ; t

3751

# (outer-keymap `(keymap (3 . ,inner-keymap)))) ; C-c

3752

# (setq minor-mode-overriding-map-alist

3753

# (cons `(run-tests . ,outer-keymap)

3754

# minor-mode-overriding-map-alist)))

3755

# (add-hook 'after-save-hook run-tests 90 t))

3756

# End:

3489

3490

if __name__ == '__main__':

3491

main()