To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 921
- compare with another revision
- download diff
- download tarball
- view history from revision 921
- Committer: Teddy Hogeborn
- Date: 2018-02-06 20:03:50 UTC
- Revision ID: teddy@recompile.se-20180206200350-jzvorueb731xkph3
Update Debian Debhelper compatibility version.
* (debian/compat): Change to "10".
* (debian/compat): Change to "10".
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2017 Teddy Hogeborn
15
# Copyright © 2008-2017 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.crypto
48
import gnutls.connection
49
import gnutls.errors
50
import gnutls.library.functions
51
import gnutls.library.constants
52
import gnutls.library.types
53
51
try:
54
52
import ConfigParser as configparser
55
53
except ImportError:
82
80
83
81
import dbus
84
82
import dbus.service
85
try:
86
import gobject
87
except ImportError:
88
from gi.repository import GObject as gobject
89
import avahi
83
from gi.repository import GLib
90
84
from dbus.mainloop.glib import DBusGMainLoop
91
85
import ctypes
92
86
import ctypes.util
93
87
import xml.dom.minidom
94
88
import inspect
95
89
90
# Try to find the value of SO_BINDTODEVICE:
96
91
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
97
94
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
98
95
except AttributeError:
99
96
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
100
99
from IN import SO_BINDTODEVICE
101
100
except ImportError:
102
SO_BINDTODEVICE = None
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
103
114
104
115
if sys.version_info.major == 2:
105
116
str = unicode
106
117
107
version = "1.6.9"
118
version = "1.7.16"
108
119
stored_state_file = "clients.pickle"
109
120
110
121
logger = logging.getLogger()
114
125
if_nametoindex = ctypes.cdll.LoadLibrary(
115
126
ctypes.util.find_library("c")).if_nametoindex
116
127
except (OSError, AttributeError):
117
128
118
129
def if_nametoindex(interface):
119
130
"Get an interface index the hard way, i.e. using fcntl()"
120
131
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
125
136
return interface_index
126
137
127
138
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
128
155
def initlogger(debug, level=logging.WARNING):
129
156
"""init logger and add loglevel"""
130
157
131
158
global syslogger
132
159
syslogger = (logging.handlers.SysLogHandler(
133
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
134
address = "/dev/log"))
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
135
162
syslogger.setFormatter(logging.Formatter
136
163
('Mandos [%(process)d]: %(levelname)s:'
137
164
' %(message)s'))
138
165
logger.addHandler(syslogger)
139
166
140
167
if debug:
141
168
console = logging.StreamHandler()
142
169
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
154
181
155
182
class PGPEngine(object):
156
183
"""A simple class for OpenPGP symmetric encryption & decryption"""
157
184
158
185
def __init__(self):
159
186
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
160
198
self.gnupgargs = ['--batch',
161
'--home', self.tempdir,
199
'--homedir', self.tempdir,
162
200
'--force-mdc',
163
'--quiet',
164
'--no-use-agent']
165
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
166
206
def __enter__(self):
167
207
return self
168
208
169
209
def __exit__(self, exc_type, exc_value, traceback):
170
210
self._cleanup()
171
211
return False
172
212
173
213
def __del__(self):
174
214
self._cleanup()
175
215
176
216
def _cleanup(self):
177
217
if self.tempdir is not None:
178
218
# Delete contents of tempdir
179
219
for root, dirs, files in os.walk(self.tempdir,
180
topdown = False):
220
topdown=False):
181
221
for filename in files:
182
222
os.remove(os.path.join(root, filename))
183
223
for dirname in dirs:
185
225
# Remove tempdir
186
226
os.rmdir(self.tempdir)
187
227
self.tempdir = None
188
228
189
229
def password_encode(self, password):
190
230
# Passphrase can not be empty and can not contain newlines or
191
231
# NUL bytes. So we prefix it and hex encode it.
196
236
.replace(b"\n", b"\\n")
197
237
.replace(b"\0", b"\\x00"))
198
238
return encoded
199
239
200
240
def encrypt(self, data, password):
201
241
passphrase = self.password_encode(password)
202
242
with tempfile.NamedTemporaryFile(
203
243
dir=self.tempdir) as passfile:
204
244
passfile.write(passphrase)
205
245
passfile.flush()
206
proc = subprocess.Popen(['gpg', '--symmetric',
246
proc = subprocess.Popen([self.gpg, '--symmetric',
207
247
'--passphrase-file',
208
248
passfile.name]
209
249
+ self.gnupgargs,
210
stdin = subprocess.PIPE,
211
stdout = subprocess.PIPE,
212
stderr = subprocess.PIPE)
213
ciphertext, err = proc.communicate(input = data)
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
214
254
if proc.returncode != 0:
215
255
raise PGPError(err)
216
256
return ciphertext
217
257
218
258
def decrypt(self, data, password):
219
259
passphrase = self.password_encode(password)
220
260
with tempfile.NamedTemporaryFile(
221
dir = self.tempdir) as passfile:
261
dir=self.tempdir) as passfile:
222
262
passfile.write(passphrase)
223
263
passfile.flush()
224
proc = subprocess.Popen(['gpg', '--decrypt',
264
proc = subprocess.Popen([self.gpg, '--decrypt',
225
265
'--passphrase-file',
226
266
passfile.name]
227
267
+ self.gnupgargs,
228
stdin = subprocess.PIPE,
229
stdout = subprocess.PIPE,
230
stderr = subprocess.PIPE)
231
decrypted_plaintext, err = proc.communicate(input = data)
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
232
272
if proc.returncode != 0:
233
273
raise PGPError(err)
234
274
return decrypted_plaintext
235
275
236
276
277
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
285
DBUS_NAME = "org.freedesktop.Avahi"
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
DBUS_PATH_SERVER = "/"
289
290
def string_array_to_txt_array(self, t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
303
237
304
class AvahiError(Exception):
238
305
def __init__(self, value, *args, **kwargs):
239
306
self.value = value
251
318
252
319
class AvahiService(object):
253
320
"""An Avahi (Zeroconf) service.
254
321
255
322
Attributes:
256
323
interface: integer; avahi.IF_UNSPEC or an interface index.
257
324
Used to optionally bind to the specified interface.
269
336
server: D-Bus Server
270
337
bus: dbus.SystemBus()
271
338
"""
272
339
273
340
def __init__(self,
274
interface = avahi.IF_UNSPEC,
275
name = None,
276
servicetype = None,
277
port = None,
278
TXT = None,
279
domain = "",
280
host = "",
281
max_renames = 32768,
282
protocol = avahi.PROTO_UNSPEC,
283
bus = None):
341
interface=avahi.IF_UNSPEC,
342
name=None,
343
servicetype=None,
344
port=None,
345
TXT=None,
346
domain="",
347
host="",
348
max_renames=32768,
349
protocol=avahi.PROTO_UNSPEC,
350
bus=None):
284
351
self.interface = interface
285
352
self.name = name
286
353
self.type = servicetype
295
362
self.server = None
296
363
self.bus = bus
297
364
self.entry_group_state_changed_match = None
298
365
299
366
def rename(self, remove=True):
300
367
"""Derived from the Avahi example code"""
301
368
if self.rename_count >= self.max_renames:
321
388
logger.critical("D-Bus Exception", exc_info=error)
322
389
self.cleanup()
323
390
os._exit(1)
324
391
325
392
def remove(self):
326
393
"""Derived from the Avahi example code"""
327
394
if self.entry_group_state_changed_match is not None:
329
396
self.entry_group_state_changed_match = None
330
397
if self.group is not None:
331
398
self.group.Reset()
332
399
333
400
def add(self):
334
401
"""Derived from the Avahi example code"""
335
402
self.remove()
352
419
dbus.UInt16(self.port),
353
420
avahi.string_array_to_txt_array(self.TXT))
354
421
self.group.Commit()
355
422
356
423
def entry_group_state_changed(self, state, error):
357
424
"""Derived from the Avahi example code"""
358
425
logger.debug("Avahi entry group state change: %i", state)
359
426
360
427
if state == avahi.ENTRY_GROUP_ESTABLISHED:
361
428
logger.debug("Zeroconf service established.")
362
429
elif state == avahi.ENTRY_GROUP_COLLISION:
366
433
logger.critical("Avahi: Error in group state changed %s",
367
434
str(error))
368
435
raise AvahiGroupError("State changed: {!s}".format(error))
369
436
370
437
def cleanup(self):
371
438
"""Derived from the Avahi example code"""
372
439
if self.group is not None:
377
444
pass
378
445
self.group = None
379
446
self.remove()
380
447
381
448
def server_state_changed(self, state, error=None):
382
449
"""Derived from the Avahi example code"""
383
450
logger.debug("Avahi server state change: %i", state)
412
479
logger.debug("Unknown state: %r", state)
413
480
else:
414
481
logger.debug("Unknown state: %r: %r", state, error)
415
482
416
483
def activate(self):
417
484
"""Derived from the Avahi example code"""
418
485
if self.server is None:
429
496
class AvahiServiceToSyslog(AvahiService):
430
497
def rename(self, *args, **kwargs):
431
498
"""Add the new name to the syslog messages"""
432
ret = AvahiService.rename(self, *args, **kwargs)
499
ret = super(AvahiServiceToSyslog, self).rename(self, *args,
500
**kwargs)
433
501
syslogger.setFormatter(logging.Formatter(
434
502
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
435
503
.format(self.name)))
436
504
return ret
437
505
506
507
# Pretend that we have a GnuTLS module
508
class GnuTLS(object):
509
"""This isn't so much a class as it is a module-like namespace.
510
It is instantiated once, and simulates having a GnuTLS module."""
511
512
library = ctypes.util.find_library("gnutls")
513
if library is None:
514
library = ctypes.util.find_library("gnutls-deb0")
515
_library = ctypes.cdll.LoadLibrary(library)
516
del library
517
_need_version = b"3.3.0"
518
519
def __init__(self):
520
# Need to use "self" here, since this method is called before
521
# the assignment to the "gnutls" global variable happens.
522
if self.check_version(self._need_version) is None:
523
raise self.Error("Needs GnuTLS {} or later"
524
.format(self._need_version))
525
526
# Unless otherwise indicated, the constants and types below are
527
# all from the gnutls/gnutls.h C header file.
528
529
# Constants
530
E_SUCCESS = 0
531
E_INTERRUPTED = -52
532
E_AGAIN = -28
533
CRT_OPENPGP = 2
534
CLIENT = 2
535
SHUT_RDWR = 0
536
CRD_CERTIFICATE = 1
537
E_NO_CERTIFICATE_FOUND = -49
538
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
539
540
# Types
541
class session_int(ctypes.Structure):
542
_fields_ = []
543
session_t = ctypes.POINTER(session_int)
544
545
class certificate_credentials_st(ctypes.Structure):
546
_fields_ = []
547
certificate_credentials_t = ctypes.POINTER(
548
certificate_credentials_st)
549
certificate_type_t = ctypes.c_int
550
551
class datum_t(ctypes.Structure):
552
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
553
('size', ctypes.c_uint)]
554
555
class openpgp_crt_int(ctypes.Structure):
556
_fields_ = []
557
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
558
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
559
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
560
credentials_type_t = ctypes.c_int
561
transport_ptr_t = ctypes.c_void_p
562
close_request_t = ctypes.c_int
563
564
# Exceptions
565
class Error(Exception):
566
# We need to use the class name "GnuTLS" here, since this
567
# exception might be raised from within GnuTLS.__init__,
568
# which is called before the assignment to the "gnutls"
569
# global variable has happened.
570
def __init__(self, message=None, code=None, args=()):
571
# Default usage is by a message string, but if a return
572
# code is passed, convert it to a string with
573
# gnutls.strerror()
574
self.code = code
575
if message is None and code is not None:
576
message = GnuTLS.strerror(code)
577
return super(GnuTLS.Error, self).__init__(
578
message, *args)
579
580
class CertificateSecurityError(Error):
581
pass
582
583
# Classes
584
class Credentials(object):
585
def __init__(self):
586
self._c_object = gnutls.certificate_credentials_t()
587
gnutls.certificate_allocate_credentials(
588
ctypes.byref(self._c_object))
589
self.type = gnutls.CRD_CERTIFICATE
590
591
def __del__(self):
592
gnutls.certificate_free_credentials(self._c_object)
593
594
class ClientSession(object):
595
def __init__(self, socket, credentials=None):
596
self._c_object = gnutls.session_t()
597
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
598
gnutls.set_default_priority(self._c_object)
599
gnutls.transport_set_ptr(self._c_object, socket.fileno())
600
gnutls.handshake_set_private_extensions(self._c_object,
601
True)
602
self.socket = socket
603
if credentials is None:
604
credentials = gnutls.Credentials()
605
gnutls.credentials_set(self._c_object, credentials.type,
606
ctypes.cast(credentials._c_object,
607
ctypes.c_void_p))
608
self.credentials = credentials
609
610
def __del__(self):
611
gnutls.deinit(self._c_object)
612
613
def handshake(self):
614
return gnutls.handshake(self._c_object)
615
616
def send(self, data):
617
data = bytes(data)
618
data_len = len(data)
619
while data_len > 0:
620
data_len -= gnutls.record_send(self._c_object,
621
data[-data_len:],
622
data_len)
623
624
def bye(self):
625
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
626
627
# Error handling functions
628
def _error_code(result):
629
"""A function to raise exceptions on errors, suitable
630
for the 'restype' attribute on ctypes functions"""
631
if result >= 0:
632
return result
633
if result == gnutls.E_NO_CERTIFICATE_FOUND:
634
raise gnutls.CertificateSecurityError(code=result)
635
raise gnutls.Error(code=result)
636
637
def _retry_on_error(result, func, arguments):
638
"""A function to retry on some errors, suitable
639
for the 'errcheck' attribute on ctypes functions"""
640
while result < 0:
641
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
642
return _error_code(result)
643
result = func(*arguments)
644
return result
645
646
# Unless otherwise indicated, the function declarations below are
647
# all from the gnutls/gnutls.h C header file.
648
649
# Functions
650
priority_set_direct = _library.gnutls_priority_set_direct
651
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
652
ctypes.POINTER(ctypes.c_char_p)]
653
priority_set_direct.restype = _error_code
654
655
init = _library.gnutls_init
656
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
657
init.restype = _error_code
658
659
set_default_priority = _library.gnutls_set_default_priority
660
set_default_priority.argtypes = [session_t]
661
set_default_priority.restype = _error_code
662
663
record_send = _library.gnutls_record_send
664
record_send.argtypes = [session_t, ctypes.c_void_p,
665
ctypes.c_size_t]
666
record_send.restype = ctypes.c_ssize_t
667
record_send.errcheck = _retry_on_error
668
669
certificate_allocate_credentials = (
670
_library.gnutls_certificate_allocate_credentials)
671
certificate_allocate_credentials.argtypes = [
672
ctypes.POINTER(certificate_credentials_t)]
673
certificate_allocate_credentials.restype = _error_code
674
675
certificate_free_credentials = (
676
_library.gnutls_certificate_free_credentials)
677
certificate_free_credentials.argtypes = [
678
certificate_credentials_t]
679
certificate_free_credentials.restype = None
680
681
handshake_set_private_extensions = (
682
_library.gnutls_handshake_set_private_extensions)
683
handshake_set_private_extensions.argtypes = [session_t,
684
ctypes.c_int]
685
handshake_set_private_extensions.restype = None
686
687
credentials_set = _library.gnutls_credentials_set
688
credentials_set.argtypes = [session_t, credentials_type_t,
689
ctypes.c_void_p]
690
credentials_set.restype = _error_code
691
692
strerror = _library.gnutls_strerror
693
strerror.argtypes = [ctypes.c_int]
694
strerror.restype = ctypes.c_char_p
695
696
certificate_type_get = _library.gnutls_certificate_type_get
697
certificate_type_get.argtypes = [session_t]
698
certificate_type_get.restype = _error_code
699
700
certificate_get_peers = _library.gnutls_certificate_get_peers
701
certificate_get_peers.argtypes = [session_t,
702
ctypes.POINTER(ctypes.c_uint)]
703
certificate_get_peers.restype = ctypes.POINTER(datum_t)
704
705
global_set_log_level = _library.gnutls_global_set_log_level
706
global_set_log_level.argtypes = [ctypes.c_int]
707
global_set_log_level.restype = None
708
709
global_set_log_function = _library.gnutls_global_set_log_function
710
global_set_log_function.argtypes = [log_func]
711
global_set_log_function.restype = None
712
713
deinit = _library.gnutls_deinit
714
deinit.argtypes = [session_t]
715
deinit.restype = None
716
717
handshake = _library.gnutls_handshake
718
handshake.argtypes = [session_t]
719
handshake.restype = _error_code
720
handshake.errcheck = _retry_on_error
721
722
transport_set_ptr = _library.gnutls_transport_set_ptr
723
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
724
transport_set_ptr.restype = None
725
726
bye = _library.gnutls_bye
727
bye.argtypes = [session_t, close_request_t]
728
bye.restype = _error_code
729
bye.errcheck = _retry_on_error
730
731
check_version = _library.gnutls_check_version
732
check_version.argtypes = [ctypes.c_char_p]
733
check_version.restype = ctypes.c_char_p
734
735
# All the function declarations below are from gnutls/openpgp.h
736
737
openpgp_crt_init = _library.gnutls_openpgp_crt_init
738
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
739
openpgp_crt_init.restype = _error_code
740
741
openpgp_crt_import = _library.gnutls_openpgp_crt_import
742
openpgp_crt_import.argtypes = [openpgp_crt_t,
743
ctypes.POINTER(datum_t),
744
openpgp_crt_fmt_t]
745
openpgp_crt_import.restype = _error_code
746
747
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
748
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
749
ctypes.POINTER(ctypes.c_uint)]
750
openpgp_crt_verify_self.restype = _error_code
751
752
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
753
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
754
openpgp_crt_deinit.restype = None
755
756
openpgp_crt_get_fingerprint = (
757
_library.gnutls_openpgp_crt_get_fingerprint)
758
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
759
ctypes.c_void_p,
760
ctypes.POINTER(
761
ctypes.c_size_t)]
762
openpgp_crt_get_fingerprint.restype = _error_code
763
764
# Remove non-public functions
765
del _error_code, _retry_on_error
766
# Create the global "gnutls" object, simulating a module
767
gnutls = GnuTLS()
768
769
438
770
def call_pipe(connection, # : multiprocessing.Connection
439
771
func, *args, **kwargs):
440
772
"""This function is meant to be called by multiprocessing.Process
441
773
442
774
This function runs func(*args, **kwargs), and writes the resulting
443
775
return value on the provided multiprocessing.Connection.
444
776
"""
445
777
connection.send(func(*args, **kwargs))
446
778
connection.close()
447
779
780
448
781
class Client(object):
449
782
"""A representation of a client host served by this server.
450
783
451
784
Attributes:
452
785
approved: bool(); 'None' if not yet approved/disapproved
453
786
approval_delay: datetime.timedelta(); Time to wait for approval
455
788
checker: subprocess.Popen(); a running checker process used
456
789
to see if the client lives.
457
790
'None' if no process is running.
458
checker_callback_tag: a gobject event source tag, or None
791
checker_callback_tag: a GLib event source tag, or None
459
792
checker_command: string; External command which is run to check
460
793
if client lives. %() expansions are done at
461
794
runtime with vars(self) as dict, so that for
462
795
instance %(name)s can be used in the command.
463
checker_initiator_tag: a gobject event source tag, or None
796
checker_initiator_tag: a GLib event source tag, or None
464
797
created: datetime.datetime(); (UTC) object creation
465
798
client_structure: Object describing what attributes a client has
466
799
and is used for storing the client at exit
467
800
current_checker_command: string; current running checker_command
468
disable_initiator_tag: a gobject event source tag, or None
801
disable_initiator_tag: a GLib event source tag, or None
469
802
enabled: bool()
470
803
fingerprint: string (40 or 32 hexadecimal digits); used to
471
804
uniquely identify the client
490
823
disabled, or None
491
824
server_settings: The server_settings dict from main()
492
825
"""
493
826
494
827
runtime_expansions = ("approval_delay", "approval_duration",
495
828
"created", "enabled", "expires",
496
829
"fingerprint", "host", "interval",
507
840
"approved_by_default": "True",
508
841
"enabled": "True",
509
842
}
510
843
511
844
@staticmethod
512
845
def config_parser(config):
513
846
"""Construct a new dict of client settings of this form:
520
853
for client_name in config.sections():
521
854
section = dict(config.items(client_name))
522
855
client = settings[client_name] = {}
523
856
524
857
client["host"] = section["host"]
525
858
# Reformat values from string types to Python types
526
859
client["approved_by_default"] = config.getboolean(
527
860
client_name, "approved_by_default")
528
861
client["enabled"] = config.getboolean(client_name,
529
862
"enabled")
530
863
531
864
# Uppercase and remove spaces from fingerprint for later
532
865
# comparison purposes with return value from the
533
866
# fingerprint() function
534
867
client["fingerprint"] = (section["fingerprint"].upper()
535
868
.replace(" ", ""))
536
869
if "secret" in section:
537
client["secret"] = section["secret"].decode("base64")
870
client["secret"] = codecs.decode(section["secret"]
871
.encode("utf-8"),
872
"base64")
538
873
elif "secfile" in section:
539
874
with open(os.path.expanduser(os.path.expandvars
540
875
(section["secfile"])),
555
890
client["last_approval_request"] = None
556
891
client["last_checked_ok"] = None
557
892
client["last_checker_status"] = -2
558
893
559
894
return settings
560
561
def __init__(self, settings, name = None, server_settings=None):
895
896
def __init__(self, settings, name=None, server_settings=None):
562
897
self.name = name
563
898
if server_settings is None:
564
899
server_settings = {}
566
901
# adding all client settings
567
902
for setting, value in settings.items():
568
903
setattr(self, setting, value)
569
904
570
905
if self.enabled:
571
906
if not hasattr(self, "last_enabled"):
572
907
self.last_enabled = datetime.datetime.utcnow()
576
911
else:
577
912
self.last_enabled = None
578
913
self.expires = None
579
914
580
915
logger.debug("Creating client %r", self.name)
581
916
logger.debug(" Fingerprint: %s", self.fingerprint)
582
917
self.created = settings.get("created",
583
918
datetime.datetime.utcnow())
584
919
585
920
# attributes specific for this server instance
586
921
self.checker = None
587
922
self.checker_initiator_tag = None
593
928
self.changedstate = multiprocessing_manager.Condition(
594
929
multiprocessing_manager.Lock())
595
930
self.client_structure = [attr
596
for attr in self.__dict__.iterkeys()
931
for attr in self.__dict__.keys()
597
932
if not attr.startswith("_")]
598
933
self.client_structure.append("client_structure")
599
934
600
935
for name, t in inspect.getmembers(
601
936
type(self), lambda obj: isinstance(obj, property)):
602
937
if not name.startswith("_"):
603
938
self.client_structure.append(name)
604
939
605
940
# Send notice to process children that client state has changed
606
941
def send_changedstate(self):
607
942
with self.changedstate:
608
943
self.changedstate.notify_all()
609
944
610
945
def enable(self):
611
946
"""Start this client's checker and timeout hooks"""
612
947
if getattr(self, "enabled", False):
617
952
self.last_enabled = datetime.datetime.utcnow()
618
953
self.init_checker()
619
954
self.send_changedstate()
620
955
621
956
def disable(self, quiet=True):
622
957
"""Disable this client."""
623
958
if not getattr(self, "enabled", False):
625
960
if not quiet:
626
961
logger.info("Disabling client %s", self.name)
627
962
if getattr(self, "disable_initiator_tag", None) is not None:
628
gobject.source_remove(self.disable_initiator_tag)
963
GLib.source_remove(self.disable_initiator_tag)
629
964
self.disable_initiator_tag = None
630
965
self.expires = None
631
966
if getattr(self, "checker_initiator_tag", None) is not None:
632
gobject.source_remove(self.checker_initiator_tag)
967
GLib.source_remove(self.checker_initiator_tag)
633
968
self.checker_initiator_tag = None
634
969
self.stop_checker()
635
970
self.enabled = False
636
971
if not quiet:
637
972
self.send_changedstate()
638
# Do not run this again if called by a gobject.timeout_add
973
# Do not run this again if called by a GLib.timeout_add
639
974
return False
640
975
641
976
def __del__(self):
642
977
self.disable()
643
978
644
979
def init_checker(self):
645
980
# Schedule a new checker to be started an 'interval' from now,
646
981
# and every interval from then on.
647
982
if self.checker_initiator_tag is not None:
648
gobject.source_remove(self.checker_initiator_tag)
649
self.checker_initiator_tag = gobject.timeout_add(
983
GLib.source_remove(self.checker_initiator_tag)
984
self.checker_initiator_tag = GLib.timeout_add(
650
985
int(self.interval.total_seconds() * 1000),
651
986
self.start_checker)
652
987
# Schedule a disable() when 'timeout' has passed
653
988
if self.disable_initiator_tag is not None:
654
gobject.source_remove(self.disable_initiator_tag)
655
self.disable_initiator_tag = gobject.timeout_add(
989
GLib.source_remove(self.disable_initiator_tag)
990
self.disable_initiator_tag = GLib.timeout_add(
656
991
int(self.timeout.total_seconds() * 1000), self.disable)
657
992
# Also start a new checker *right now*.
658
993
self.start_checker()
659
994
660
995
def checker_callback(self, source, condition, connection,
661
996
command):
662
997
"""The checker has completed, so take appropriate actions."""
665
1000
# Read return code from connection (see call_pipe)
666
1001
returncode = connection.recv()
667
1002
connection.close()
668
1003
669
1004
if returncode >= 0:
670
1005
self.last_checker_status = returncode
671
1006
self.last_checker_signal = None
681
1016
logger.warning("Checker for %(name)s crashed?",
682
1017
vars(self))
683
1018
return False
684
1019
685
1020
def checked_ok(self):
686
1021
"""Assert that the client has been seen, alive and well."""
687
1022
self.last_checked_ok = datetime.datetime.utcnow()
688
1023
self.last_checker_status = 0
689
1024
self.last_checker_signal = None
690
1025
self.bump_timeout()
691
1026
692
1027
def bump_timeout(self, timeout=None):
693
1028
"""Bump up the timeout for this client."""
694
1029
if timeout is None:
695
1030
timeout = self.timeout
696
1031
if self.disable_initiator_tag is not None:
697
gobject.source_remove(self.disable_initiator_tag)
1032
GLib.source_remove(self.disable_initiator_tag)
698
1033
self.disable_initiator_tag = None
699
1034
if getattr(self, "enabled", False):
700
self.disable_initiator_tag = gobject.timeout_add(
1035
self.disable_initiator_tag = GLib.timeout_add(
701
1036
int(timeout.total_seconds() * 1000), self.disable)
702
1037
self.expires = datetime.datetime.utcnow() + timeout
703
1038
704
1039
def need_approval(self):
705
1040
self.last_approval_request = datetime.datetime.utcnow()
706
1041
707
1042
def start_checker(self):
708
1043
"""Start a new checker subprocess if one is not running.
709
1044
710
1045
If a checker already exists, leave it running and do
711
1046
nothing."""
712
1047
# The reason for not killing a running checker is that if we
717
1052
# checkers alone, the checker would have to take more time
718
1053
# than 'timeout' for the client to be disabled, which is as it
719
1054
# should be.
720
1055
721
1056
if self.checker is not None and not self.checker.is_alive():
722
1057
logger.warning("Checker was not alive; joining")
723
1058
self.checker.join()
727
1062
# Escape attributes for the shell
728
1063
escaped_attrs = {
729
1064
attr: re.escape(str(getattr(self, attr)))
730
for attr in self.runtime_expansions }
1065
for attr in self.runtime_expansions}
731
1066
try:
732
1067
command = self.checker_command % escaped_attrs
733
1068
except TypeError as error:
745
1080
# The exception is when not debugging but nevertheless
746
1081
# running in the foreground; use the previously
747
1082
# created wnull.
748
popen_args = { "close_fds": True,
749
"shell": True,
750
"cwd": "/" }
1083
popen_args = {"close_fds": True,
1084
"shell": True,
1085
"cwd": "/"}
751
1086
if (not self.server_settings["debug"]
752
1087
and self.server_settings["foreground"]):
753
1088
popen_args.update({"stdout": wnull,
754
"stderr": wnull })
755
pipe = multiprocessing.Pipe(duplex = False)
1089
"stderr": wnull})
1090
pipe = multiprocessing.Pipe(duplex=False)
756
1091
self.checker = multiprocessing.Process(
757
target = call_pipe,
758
args = (pipe[1], subprocess.call, command),
759
kwargs = popen_args)
1092
target=call_pipe,
1093
args=(pipe[1], subprocess.call, command),
1094
kwargs=popen_args)
760
1095
self.checker.start()
761
self.checker_callback_tag = gobject.io_add_watch(
762
pipe[0].fileno(), gobject.IO_IN,
1096
self.checker_callback_tag = GLib.io_add_watch(
1097
pipe[0].fileno(), GLib.IO_IN,
763
1098
self.checker_callback, pipe[0], command)
764
# Re-run this periodically if run by gobject.timeout_add
1099
# Re-run this periodically if run by GLib.timeout_add
765
1100
return True
766
1101
767
1102
def stop_checker(self):
768
1103
"""Force the checker process, if any, to stop."""
769
1104
if self.checker_callback_tag:
770
gobject.source_remove(self.checker_callback_tag)
1105
GLib.source_remove(self.checker_callback_tag)
771
1106
self.checker_callback_tag = None
772
1107
if getattr(self, "checker", None) is None:
773
1108
return
782
1117
byte_arrays=False):
783
1118
"""Decorators for marking methods of a DBusObjectWithProperties to
784
1119
become properties on the D-Bus.
785
1120
786
1121
The decorated method will be called with no arguments by "Get"
787
1122
and with one argument by "Set".
788
1123
789
1124
The parameters, where they are supported, are the same as
790
1125
dbus.service.method, except there is only "signature", since the
791
1126
type from Get() and the type sent to Set() is the same.
795
1130
if byte_arrays and signature != "ay":
796
1131
raise ValueError("Byte arrays not supported for non-'ay'"
797
1132
" signature {!r}".format(signature))
798
1133
799
1134
def decorator(func):
800
1135
func._dbus_is_property = True
801
1136
func._dbus_interface = dbus_interface
804
1139
func._dbus_name = func.__name__
805
1140
if func._dbus_name.endswith("_dbus_property"):
806
1141
func._dbus_name = func._dbus_name[:-14]
807
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1142
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
808
1143
return func
809
1144
810
1145
return decorator
811
1146
812
1147
813
1148
def dbus_interface_annotations(dbus_interface):
814
1149
"""Decorator for marking functions returning interface annotations
815
1150
816
1151
Usage:
817
1152
818
1153
@dbus_interface_annotations("org.example.Interface")
819
1154
def _foo(self): # Function name does not matter
820
1155
return {"org.freedesktop.DBus.Deprecated": "true",
821
1156
"org.freedesktop.DBus.Property.EmitsChangedSignal":
822
1157
"false"}
823
1158
"""
824
1159
825
1160
def decorator(func):
826
1161
func._dbus_is_interface = True
827
1162
func._dbus_interface = dbus_interface
828
1163
func._dbus_name = dbus_interface
829
1164
return func
830
1165
831
1166
return decorator
832
1167
833
1168
834
1169
def dbus_annotations(annotations):
835
1170
"""Decorator to annotate D-Bus methods, signals or properties
836
1171
Usage:
837
1172
838
1173
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
839
1174
"org.freedesktop.DBus.Property."
840
1175
"EmitsChangedSignal": "false"})
842
1177
access="r")
843
1178
def Property_dbus_property(self):
844
1179
return dbus.Boolean(False)
845
1180
846
1181
See also the DBusObjectWithAnnotations class.
847
1182
"""
848
1183
849
1184
def decorator(func):
850
1185
func._dbus_annotations = annotations
851
1186
return func
852
1187
853
1188
return decorator
854
1189
855
1190
873
1208
874
1209
class DBusObjectWithAnnotations(dbus.service.Object):
875
1210
"""A D-Bus object with annotations.
876
1211
877
1212
Classes inheriting from this can use the dbus_annotations
878
1213
decorator to add annotations to methods or signals.
879
1214
"""
880
1215
881
1216
@staticmethod
882
1217
def _is_dbus_thing(thing):
883
1218
"""Returns a function testing if an attribute is a D-Bus thing
884
1219
885
1220
If called like _is_dbus_thing("method") it returns a function
886
1221
suitable for use as predicate to inspect.getmembers().
887
1222
"""
888
1223
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
889
1224
False)
890
1225
891
1226
def _get_all_dbus_things(self, thing):
892
1227
"""Returns a generator of (name, attribute) pairs
893
1228
"""
896
1231
for cls in self.__class__.__mro__
897
1232
for name, athing in
898
1233
inspect.getmembers(cls, self._is_dbus_thing(thing)))
899
1234
900
1235
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
901
out_signature = "s",
902
path_keyword = 'object_path',
903
connection_keyword = 'connection')
1236
out_signature="s",
1237
path_keyword='object_path',
1238
connection_keyword='connection')
904
1239
def Introspect(self, object_path, connection):
905
1240
"""Overloading of standard D-Bus method.
906
1241
907
1242
Inserts annotation tags on methods and signals.
908
1243
"""
909
1244
xmlstring = dbus.service.Object.Introspect(self, object_path,
910
1245
connection)
911
1246
try:
912
1247
document = xml.dom.minidom.parseString(xmlstring)
913
1248
914
1249
for if_tag in document.getElementsByTagName("interface"):
915
1250
# Add annotation tags
916
1251
for typ in ("method", "signal"):
943
1278
if_tag.appendChild(ann_tag)
944
1279
# Fix argument name for the Introspect method itself
945
1280
if (if_tag.getAttribute("name")
946
== dbus.INTROSPECTABLE_IFACE):
1281
== dbus.INTROSPECTABLE_IFACE):
947
1282
for cn in if_tag.getElementsByTagName("method"):
948
1283
if cn.getAttribute("name") == "Introspect":
949
1284
for arg in cn.getElementsByTagName("arg"):
962
1297
963
1298
class DBusObjectWithProperties(DBusObjectWithAnnotations):
964
1299
"""A D-Bus object with properties.
965
1300
966
1301
Classes inheriting from this can use the dbus_service_property
967
1302
decorator to expose methods as D-Bus properties. It exposes the
968
1303
standard Get(), Set(), and GetAll() methods on the D-Bus.
969
1304
"""
970
1305
971
1306
def _get_dbus_property(self, interface_name, property_name):
972
1307
"""Returns a bound method if one exists which is a D-Bus
973
1308
property with the specified name and interface.
978
1313
if (value._dbus_name == property_name
979
1314
and value._dbus_interface == interface_name):
980
1315
return value.__get__(self)
981
1316
982
1317
# No such property
983
1318
raise DBusPropertyNotFound("{}:{}.{}".format(
984
1319
self.dbus_object_path, interface_name, property_name))
985
1320
986
1321
@classmethod
987
1322
def _get_all_interface_names(cls):
988
1323
"""Get a sequence of all interfaces supported by an object"""
991
1326
for x in (inspect.getmro(cls))
992
1327
for attr in dir(x))
993
1328
if name is not None)
994
1329
995
1330
@dbus.service.method(dbus.PROPERTIES_IFACE,
996
1331
in_signature="ss",
997
1332
out_signature="v")
1005
1340
if not hasattr(value, "variant_level"):
1006
1341
return value
1007
1342
return type(value)(value, variant_level=value.variant_level+1)
1008
1343
1009
1344
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1010
1345
def Set(self, interface_name, property_name, value):
1011
1346
"""Standard D-Bus property Set() method, see D-Bus standard.
1023
1358
value = dbus.ByteArray(b''.join(chr(byte)
1024
1359
for byte in value))
1025
1360
prop(value)
1026
1361
1027
1362
@dbus.service.method(dbus.PROPERTIES_IFACE,
1028
1363
in_signature="s",
1029
1364
out_signature="a{sv}")
1030
1365
def GetAll(self, interface_name):
1031
1366
"""Standard D-Bus property GetAll() method, see D-Bus
1032
1367
standard.
1033
1368
1034
1369
Note: Will not include properties with access="write".
1035
1370
"""
1036
1371
properties = {}
1047
1382
properties[name] = value
1048
1383
continue
1049
1384
properties[name] = type(value)(
1050
value, variant_level = value.variant_level + 1)
1385
value, variant_level=value.variant_level + 1)
1051
1386
return dbus.Dictionary(properties, signature="sv")
1052
1387
1053
1388
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1054
1389
def PropertiesChanged(self, interface_name, changed_properties,
1055
1390
invalidated_properties):
1057
1392
standard.
1058
1393
"""
1059
1394
pass
1060
1395
1061
1396
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1062
1397
out_signature="s",
1063
1398
path_keyword='object_path',
1064
1399
connection_keyword='connection')
1065
1400
def Introspect(self, object_path, connection):
1066
1401
"""Overloading of standard D-Bus method.
1067
1402
1068
1403
Inserts property tags and interface annotation tags.
1069
1404
"""
1070
1405
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1072
1407
connection)
1073
1408
try:
1074
1409
document = xml.dom.minidom.parseString(xmlstring)
1075
1410
1076
1411
def make_tag(document, name, prop):
1077
1412
e = document.createElement("property")
1078
1413
e.setAttribute("name", name)
1079
1414
e.setAttribute("type", prop._dbus_signature)
1080
1415
e.setAttribute("access", prop._dbus_access)
1081
1416
return e
1082
1417
1083
1418
for if_tag in document.getElementsByTagName("interface"):
1084
1419
# Add property tags
1085
1420
for tag in (make_tag(document, name, prop)
1127
1462
exc_info=error)
1128
1463
return xmlstring
1129
1464
1465
1130
1466
try:
1131
1467
dbus.OBJECT_MANAGER_IFACE
1132
1468
except AttributeError:
1133
1469
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1134
1470
1471
1135
1472
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1136
1473
"""A D-Bus object with an ObjectManager.
1137
1474
1138
1475
Classes inheriting from this exposes the standard
1139
1476
GetManagedObjects call and the InterfacesAdded and
1140
1477
InterfacesRemoved signals on the standard
1141
1478
"org.freedesktop.DBus.ObjectManager" interface.
1142
1479
1143
1480
Note: No signals are sent automatically; they must be sent
1144
1481
manually.
1145
1482
"""
1146
1483
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1147
out_signature = "a{oa{sa{sv}}}")
1484
out_signature="a{oa{sa{sv}}}")
1148
1485
def GetManagedObjects(self):
1149
1486
"""This function must be overridden"""
1150
1487
raise NotImplementedError()
1151
1488
1152
1489
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1153
signature = "oa{sa{sv}}")
1490
signature="oa{sa{sv}}")
1154
1491
def InterfacesAdded(self, object_path, interfaces_and_properties):
1155
1492
pass
1156
1157
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1493
1494
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1158
1495
def InterfacesRemoved(self, object_path, interfaces):
1159
1496
pass
1160
1497
1161
1498
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1162
out_signature = "s",
1163
path_keyword = 'object_path',
1164
connection_keyword = 'connection')
1499
out_signature="s",
1500
path_keyword='object_path',
1501
connection_keyword='connection')
1165
1502
def Introspect(self, object_path, connection):
1166
1503
"""Overloading of standard D-Bus method.
1167
1504
1168
1505
Override return argument name of GetManagedObjects to be
1169
1506
"objpath_interfaces_and_properties"
1170
1507
"""
1173
1510
connection)
1174
1511
try:
1175
1512
document = xml.dom.minidom.parseString(xmlstring)
1176
1513
1177
1514
for if_tag in document.getElementsByTagName("interface"):
1178
1515
# Fix argument name for the GetManagedObjects method
1179
1516
if (if_tag.getAttribute("name")
1180
== dbus.OBJECT_MANAGER_IFACE):
1517
== dbus.OBJECT_MANAGER_IFACE):
1181
1518
for cn in if_tag.getElementsByTagName("method"):
1182
1519
if (cn.getAttribute("name")
1183
1520
== "GetManagedObjects"):
1193
1530
except (AttributeError, xml.dom.DOMException,
1194
1531
xml.parsers.expat.ExpatError) as error:
1195
1532
logger.error("Failed to override Introspection method",
1196
exc_info = error)
1533
exc_info=error)
1197
1534
return xmlstring
1198
1535
1536
1199
1537
def datetime_to_dbus(dt, variant_level=0):
1200
1538
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1201
1539
if dt is None:
1202
return dbus.String("", variant_level = variant_level)
1540
return dbus.String("", variant_level=variant_level)
1203
1541
return dbus.String(dt.isoformat(), variant_level=variant_level)
1204
1542
1205
1543
1208
1546
dbus.service.Object, it will add alternate D-Bus attributes with
1209
1547
interface names according to the "alt_interface_names" mapping.
1210
1548
Usage:
1211
1549
1212
1550
@alternate_dbus_interfaces({"org.example.Interface":
1213
1551
"net.example.AlternateInterface"})
1214
1552
class SampleDBusObject(dbus.service.Object):
1215
1553
@dbus.service.method("org.example.Interface")
1216
1554
def SampleDBusMethod():
1217
1555
pass
1218
1556
1219
1557
The above "SampleDBusMethod" on "SampleDBusObject" will be
1220
1558
reachable via two interfaces: "org.example.Interface" and
1221
1559
"net.example.AlternateInterface", the latter of which will have
1222
1560
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1223
1561
"true", unless "deprecate" is passed with a False value.
1224
1562
1225
1563
This works for methods and signals, and also for D-Bus properties
1226
1564
(from DBusObjectWithProperties) and interfaces (from the
1227
1565
dbus_interface_annotations decorator).
1228
1566
"""
1229
1567
1230
1568
def wrapper(cls):
1231
1569
for orig_interface_name, alt_interface_name in (
1232
1570
alt_interface_names.items()):
1247
1585
interface_names.add(alt_interface)
1248
1586
# Is this a D-Bus signal?
1249
1587
if getattr(attribute, "_dbus_is_signal", False):
1588
# Extract the original non-method undecorated
1589
# function by black magic
1250
1590
if sys.version_info.major == 2:
1251
# Extract the original non-method undecorated
1252
# function by black magic
1253
1591
nonmethod_func = (dict(
1254
1592
zip(attribute.func_code.co_freevars,
1255
1593
attribute.__closure__))
1256
1594
["func"].cell_contents)
1257
1595
else:
1258
nonmethod_func = attribute
1596
nonmethod_func = (dict(
1597
zip(attribute.__code__.co_freevars,
1598
attribute.__closure__))
1599
["func"].cell_contents)
1259
1600
# Create a new, but exactly alike, function
1260
1601
# object, and decorate it to be a new D-Bus signal
1261
1602
# with the alternate D-Bus interface name
1262
if sys.version_info.major == 2:
1263
new_function = types.FunctionType(
1264
nonmethod_func.func_code,
1265
nonmethod_func.func_globals,
1266
nonmethod_func.func_name,
1267
nonmethod_func.func_defaults,
1268
nonmethod_func.func_closure)
1269
else:
1270
new_function = types.FunctionType(
1271
nonmethod_func.__code__,
1272
nonmethod_func.__globals__,
1273
nonmethod_func.__name__,
1274
nonmethod_func.__defaults__,
1275
nonmethod_func.__closure__)
1603
new_function = copy_function(nonmethod_func)
1276
1604
new_function = (dbus.service.signal(
1277
1605
alt_interface,
1278
1606
attribute._dbus_signature)(new_function))
1282
1610
attribute._dbus_annotations)
1283
1611
except AttributeError:
1284
1612
pass
1613
1285
1614
# Define a creator of a function to call both the
1286
1615
# original and alternate functions, so both the
1287
1616
# original and alternate signals gets sent when
1290
1619
"""This function is a scope container to pass
1291
1620
func1 and func2 to the "call_both" function
1292
1621
outside of its arguments"""
1293
1622
1294
1623
@functools.wraps(func2)
1295
1624
def call_both(*args, **kwargs):
1296
1625
"""This function will emit two D-Bus
1297
1626
signals by calling func1 and func2"""
1298
1627
func1(*args, **kwargs)
1299
1628
func2(*args, **kwargs)
1300
# Make wrapper function look like a D-Bus signal
1629
# Make wrapper function look like a D-Bus
1630
# signal
1301
1631
for name, attr in inspect.getmembers(func2):
1302
1632
if name.startswith("_dbus_"):
1303
1633
setattr(call_both, name, attr)
1304
1634
1305
1635
return call_both
1306
1636
# Create the "call_both" function and add it to
1307
1637
# the class
1317
1647
alt_interface,
1318
1648
attribute._dbus_in_signature,
1319
1649
attribute._dbus_out_signature)
1320
(types.FunctionType(attribute.func_code,
1321
attribute.func_globals,
1322
attribute.func_name,
1323
attribute.func_defaults,
1324
attribute.func_closure)))
1650
(copy_function(attribute)))
1325
1651
# Copy annotations, if any
1326
1652
try:
1327
1653
attr[attrname]._dbus_annotations = dict(
1339
1665
attribute._dbus_access,
1340
1666
attribute._dbus_get_args_options
1341
1667
["byte_arrays"])
1342
(types.FunctionType(
1343
attribute.func_code,
1344
attribute.func_globals,
1345
attribute.func_name,
1346
attribute.func_defaults,
1347
attribute.func_closure)))
1668
(copy_function(attribute)))
1348
1669
# Copy annotations, if any
1349
1670
try:
1350
1671
attr[attrname]._dbus_annotations = dict(
1359
1680
# to the class.
1360
1681
attr[attrname] = (
1361
1682
dbus_interface_annotations(alt_interface)
1362
(types.FunctionType(attribute.func_code,
1363
attribute.func_globals,
1364
attribute.func_name,
1365
attribute.func_defaults,
1366
attribute.func_closure)))
1683
(copy_function(attribute)))
1367
1684
if deprecate:
1368
1685
# Deprecate all alternate interfaces
1369
iname="_AlternateDBusNames_interface_annotation{}"
1686
iname = "_AlternateDBusNames_interface_annotation{}"
1370
1687
for interface_name in interface_names:
1371
1688
1372
1689
@dbus_interface_annotations(interface_name)
1373
1690
def func(self):
1374
return { "org.freedesktop.DBus.Deprecated":
1375
"true" }
1691
return {"org.freedesktop.DBus.Deprecated":
1692
"true"}
1376
1693
# Find an unused name
1377
1694
for aname in (iname.format(i)
1378
1695
for i in itertools.count()):
1382
1699
if interface_names:
1383
1700
# Replace the class with a new subclass of it with
1384
1701
# methods, signals, etc. as created above.
1385
cls = type(b"{}Alternate".format(cls.__name__),
1386
(cls, ), attr)
1702
if sys.version_info.major == 2:
1703
cls = type(b"{}Alternate".format(cls.__name__),
1704
(cls, ), attr)
1705
else:
1706
cls = type("{}Alternate".format(cls.__name__),
1707
(cls, ), attr)
1387
1708
return cls
1388
1709
1389
1710
return wrapper
1390
1711
1391
1712
1393
1714
"se.bsnet.fukt.Mandos"})
1394
1715
class ClientDBus(Client, DBusObjectWithProperties):
1395
1716
"""A Client class using D-Bus
1396
1717
1397
1718
Attributes:
1398
1719
dbus_object_path: dbus.ObjectPath
1399
1720
bus: dbus.SystemBus()
1400
1721
"""
1401
1722
1402
1723
runtime_expansions = (Client.runtime_expansions
1403
1724
+ ("dbus_object_path", ))
1404
1725
1405
1726
_interface = "se.recompile.Mandos.Client"
1406
1727
1407
1728
# dbus.service.Object doesn't use super(), so we can't either.
1408
1409
def __init__(self, bus = None, *args, **kwargs):
1729
1730
def __init__(self, bus=None, *args, **kwargs):
1410
1731
self.bus = bus
1411
1732
Client.__init__(self, *args, **kwargs)
1412
1733
# Only now, when this client is initialized, can it show up on
1418
1739
"/clients/" + client_object_name)
1419
1740
DBusObjectWithProperties.__init__(self, self.bus,
1420
1741
self.dbus_object_path)
1421
1742
1422
1743
def notifychangeproperty(transform_func, dbus_name,
1423
1744
type_func=lambda x: x,
1424
1745
variant_level=1,
1426
1747
_interface=_interface):
1427
1748
""" Modify a variable so that it's a property which announces
1428
1749
its changes to DBus.
1429
1750
1430
1751
transform_fun: Function that takes a value and a variant_level
1431
1752
and transforms it to a D-Bus type.
1432
1753
dbus_name: D-Bus name of the variable
1435
1756
variant_level: D-Bus variant level. Default: 1
1436
1757
"""
1437
1758
attrname = "_{}".format(dbus_name)
1438
1759
1439
1760
def setter(self, value):
1440
1761
if hasattr(self, "dbus_object_path"):
1441
1762
if (not hasattr(self, attrname) or
1448
1769
else:
1449
1770
dbus_value = transform_func(
1450
1771
type_func(value),
1451
variant_level = variant_level)
1772
variant_level=variant_level)
1452
1773
self.PropertyChanged(dbus.String(dbus_name),
1453
1774
dbus_value)
1454
1775
self.PropertiesChanged(
1455
1776
_interface,
1456
dbus.Dictionary({ dbus.String(dbus_name):
1457
dbus_value }),
1777
dbus.Dictionary({dbus.String(dbus_name):
1778
dbus_value}),
1458
1779
dbus.Array())
1459
1780
setattr(self, attrname, value)
1460
1781
1461
1782
return property(lambda self: getattr(self, attrname), setter)
1462
1783
1463
1784
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1464
1785
approvals_pending = notifychangeproperty(dbus.Boolean,
1465
1786
"ApprovalPending",
1466
type_func = bool)
1787
type_func=bool)
1467
1788
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1468
1789
last_enabled = notifychangeproperty(datetime_to_dbus,
1469
1790
"LastEnabled")
1470
1791
checker = notifychangeproperty(
1471
1792
dbus.Boolean, "CheckerRunning",
1472
type_func = lambda checker: checker is not None)
1793
type_func=lambda checker: checker is not None)
1473
1794
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1474
1795
"LastCheckedOK")
1475
1796
last_checker_status = notifychangeproperty(dbus.Int16,
1480
1801
"ApprovedByDefault")
1481
1802
approval_delay = notifychangeproperty(
1482
1803
dbus.UInt64, "ApprovalDelay",
1483
type_func = lambda td: td.total_seconds() * 1000)
1804
type_func=lambda td: td.total_seconds() * 1000)
1484
1805
approval_duration = notifychangeproperty(
1485
1806
dbus.UInt64, "ApprovalDuration",
1486
type_func = lambda td: td.total_seconds() * 1000)
1807
type_func=lambda td: td.total_seconds() * 1000)
1487
1808
host = notifychangeproperty(dbus.String, "Host")
1488
1809
timeout = notifychangeproperty(
1489
1810
dbus.UInt64, "Timeout",
1490
type_func = lambda td: td.total_seconds() * 1000)
1811
type_func=lambda td: td.total_seconds() * 1000)
1491
1812
extended_timeout = notifychangeproperty(
1492
1813
dbus.UInt64, "ExtendedTimeout",
1493
type_func = lambda td: td.total_seconds() * 1000)
1814
type_func=lambda td: td.total_seconds() * 1000)
1494
1815
interval = notifychangeproperty(
1495
1816
dbus.UInt64, "Interval",
1496
type_func = lambda td: td.total_seconds() * 1000)
1817
type_func=lambda td: td.total_seconds() * 1000)
1497
1818
checker_command = notifychangeproperty(dbus.String, "Checker")
1498
1819
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1499
1820
invalidate_only=True)
1500
1821
1501
1822
del notifychangeproperty
1502
1823
1503
1824
def __del__(self, *args, **kwargs):
1504
1825
try:
1505
1826
self.remove_from_connection()
1508
1829
if hasattr(DBusObjectWithProperties, "__del__"):
1509
1830
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1510
1831
Client.__del__(self, *args, **kwargs)
1511
1832
1512
1833
def checker_callback(self, source, condition,
1513
1834
connection, command, *args, **kwargs):
1514
1835
ret = Client.checker_callback(self, source, condition,
1530
1851
| self.last_checker_signal),
1531
1852
dbus.String(command))
1532
1853
return ret
1533
1854
1534
1855
def start_checker(self, *args, **kwargs):
1535
1856
old_checker_pid = getattr(self.checker, "pid", None)
1536
1857
r = Client.start_checker(self, *args, **kwargs)
1540
1861
# Emit D-Bus signal
1541
1862
self.CheckerStarted(self.current_checker_command)
1542
1863
return r
1543
1864
1544
1865
def _reset_approved(self):
1545
1866
self.approved = None
1546
1867
return False
1547
1868
1548
1869
def approve(self, value=True):
1549
1870
self.approved = value
1550
gobject.timeout_add(int(self.approval_duration.total_seconds()
1551
* 1000), self._reset_approved)
1871
GLib.timeout_add(int(self.approval_duration.total_seconds()
1872
* 1000), self._reset_approved)
1552
1873
self.send_changedstate()
1553
1554
## D-Bus methods, signals & properties
1555
1556
## Interfaces
1557
1558
## Signals
1559
1874
1875
# D-Bus methods, signals & properties
1876
1877
# Interfaces
1878
1879
# Signals
1880
1560
1881
# CheckerCompleted - signal
1561
1882
@dbus.service.signal(_interface, signature="nxs")
1562
1883
def CheckerCompleted(self, exitcode, waitstatus, command):
1563
1884
"D-Bus signal"
1564
1885
pass
1565
1886
1566
1887
# CheckerStarted - signal
1567
1888
@dbus.service.signal(_interface, signature="s")
1568
1889
def CheckerStarted(self, command):
1569
1890
"D-Bus signal"
1570
1891
pass
1571
1892
1572
1893
# PropertyChanged - signal
1573
1894
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1574
1895
@dbus.service.signal(_interface, signature="sv")
1575
1896
def PropertyChanged(self, property, value):
1576
1897
"D-Bus signal"
1577
1898
pass
1578
1899
1579
1900
# GotSecret - signal
1580
1901
@dbus.service.signal(_interface)
1581
1902
def GotSecret(self):
1584
1905
server to mandos-client
1585
1906
"""
1586
1907
pass
1587
1908
1588
1909
# Rejected - signal
1589
1910
@dbus.service.signal(_interface, signature="s")
1590
1911
def Rejected(self, reason):
1591
1912
"D-Bus signal"
1592
1913
pass
1593
1914
1594
1915
# NeedApproval - signal
1595
1916
@dbus.service.signal(_interface, signature="tb")
1596
1917
def NeedApproval(self, timeout, default):
1597
1918
"D-Bus signal"
1598
1919
return self.need_approval()
1599
1600
## Methods
1601
1920
1921
# Methods
1922
1602
1923
# Approve - method
1603
1924
@dbus.service.method(_interface, in_signature="b")
1604
1925
def Approve(self, value):
1605
1926
self.approve(value)
1606
1927
1607
1928
# CheckedOK - method
1608
1929
@dbus.service.method(_interface)
1609
1930
def CheckedOK(self):
1610
1931
self.checked_ok()
1611
1932
1612
1933
# Enable - method
1613
1934
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1614
1935
@dbus.service.method(_interface)
1615
1936
def Enable(self):
1616
1937
"D-Bus method"
1617
1938
self.enable()
1618
1939
1619
1940
# StartChecker - method
1620
1941
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1621
1942
@dbus.service.method(_interface)
1622
1943
def StartChecker(self):
1623
1944
"D-Bus method"
1624
1945
self.start_checker()
1625
1946
1626
1947
# Disable - method
1627
1948
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1628
1949
@dbus.service.method(_interface)
1629
1950
def Disable(self):
1630
1951
"D-Bus method"
1631
1952
self.disable()
1632
1953
1633
1954
# StopChecker - method
1634
1955
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1635
1956
@dbus.service.method(_interface)
1636
1957
def StopChecker(self):
1637
1958
self.stop_checker()
1638
1639
## Properties
1640
1959
1960
# Properties
1961
1641
1962
# ApprovalPending - property
1642
1963
@dbus_service_property(_interface, signature="b", access="read")
1643
1964
def ApprovalPending_dbus_property(self):
1644
1965
return dbus.Boolean(bool(self.approvals_pending))
1645
1966
1646
1967
# ApprovedByDefault - property
1647
1968
@dbus_service_property(_interface,
1648
1969
signature="b",
1651
1972
if value is None: # get
1652
1973
return dbus.Boolean(self.approved_by_default)
1653
1974
self.approved_by_default = bool(value)
1654
1975
1655
1976
# ApprovalDelay - property
1656
1977
@dbus_service_property(_interface,
1657
1978
signature="t",
1661
1982
return dbus.UInt64(self.approval_delay.total_seconds()
1662
1983
* 1000)
1663
1984
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1664
1985
1665
1986
# ApprovalDuration - property
1666
1987
@dbus_service_property(_interface,
1667
1988
signature="t",
1671
1992
return dbus.UInt64(self.approval_duration.total_seconds()
1672
1993
* 1000)
1673
1994
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1674
1995
1675
1996
# Name - property
1676
1997
@dbus_annotations(
1677
1998
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1678
1999
@dbus_service_property(_interface, signature="s", access="read")
1679
2000
def Name_dbus_property(self):
1680
2001
return dbus.String(self.name)
1681
2002
1682
2003
# Fingerprint - property
1683
2004
@dbus_annotations(
1684
2005
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1685
2006
@dbus_service_property(_interface, signature="s", access="read")
1686
2007
def Fingerprint_dbus_property(self):
1687
2008
return dbus.String(self.fingerprint)
1688
2009
1689
2010
# Host - property
1690
2011
@dbus_service_property(_interface,
1691
2012
signature="s",
1694
2015
if value is None: # get
1695
2016
return dbus.String(self.host)
1696
2017
self.host = str(value)
1697
2018
1698
2019
# Created - property
1699
2020
@dbus_annotations(
1700
2021
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1701
2022
@dbus_service_property(_interface, signature="s", access="read")
1702
2023
def Created_dbus_property(self):
1703
2024
return datetime_to_dbus(self.created)
1704
2025
1705
2026
# LastEnabled - property
1706
2027
@dbus_service_property(_interface, signature="s", access="read")
1707
2028
def LastEnabled_dbus_property(self):
1708
2029
return datetime_to_dbus(self.last_enabled)
1709
2030
1710
2031
# Enabled - property
1711
2032
@dbus_service_property(_interface,
1712
2033
signature="b",
1718
2039
self.enable()
1719
2040
else:
1720
2041
self.disable()
1721
2042
1722
2043
# LastCheckedOK - property
1723
2044
@dbus_service_property(_interface,
1724
2045
signature="s",
1728
2049
self.checked_ok()
1729
2050
return
1730
2051
return datetime_to_dbus(self.last_checked_ok)
1731
2052
1732
2053
# LastCheckerStatus - property
1733
2054
@dbus_service_property(_interface, signature="n", access="read")
1734
2055
def LastCheckerStatus_dbus_property(self):
1735
2056
return dbus.Int16(self.last_checker_status)
1736
2057
1737
2058
# Expires - property
1738
2059
@dbus_service_property(_interface, signature="s", access="read")
1739
2060
def Expires_dbus_property(self):
1740
2061
return datetime_to_dbus(self.expires)
1741
2062
1742
2063
# LastApprovalRequest - property
1743
2064
@dbus_service_property(_interface, signature="s", access="read")
1744
2065
def LastApprovalRequest_dbus_property(self):
1745
2066
return datetime_to_dbus(self.last_approval_request)
1746
2067
1747
2068
# Timeout - property
1748
2069
@dbus_service_property(_interface,
1749
2070
signature="t",
1764
2085
if (getattr(self, "disable_initiator_tag", None)
1765
2086
is None):
1766
2087
return
1767
gobject.source_remove(self.disable_initiator_tag)
1768
self.disable_initiator_tag = gobject.timeout_add(
2088
GLib.source_remove(self.disable_initiator_tag)
2089
self.disable_initiator_tag = GLib.timeout_add(
1769
2090
int((self.expires - now).total_seconds() * 1000),
1770
2091
self.disable)
1771
2092
1772
2093
# ExtendedTimeout - property
1773
2094
@dbus_service_property(_interface,
1774
2095
signature="t",
1778
2099
return dbus.UInt64(self.extended_timeout.total_seconds()
1779
2100
* 1000)
1780
2101
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1781
2102
1782
2103
# Interval - property
1783
2104
@dbus_service_property(_interface,
1784
2105
signature="t",
1791
2112
return
1792
2113
if self.enabled:
1793
2114
# Reschedule checker run
1794
gobject.source_remove(self.checker_initiator_tag)
1795
self.checker_initiator_tag = gobject.timeout_add(
2115
GLib.source_remove(self.checker_initiator_tag)
2116
self.checker_initiator_tag = GLib.timeout_add(
1796
2117
value, self.start_checker)
1797
self.start_checker() # Start one now, too
1798
2118
self.start_checker() # Start one now, too
2119
1799
2120
# Checker - property
1800
2121
@dbus_service_property(_interface,
1801
2122
signature="s",
1804
2125
if value is None: # get
1805
2126
return dbus.String(self.checker_command)
1806
2127
self.checker_command = str(value)
1807
2128
1808
2129
# CheckerRunning - property
1809
2130
@dbus_service_property(_interface,
1810
2131
signature="b",
1816
2137
self.start_checker()
1817
2138
else:
1818
2139
self.stop_checker()
1819
2140
1820
2141
# ObjectPath - property
1821
2142
@dbus_annotations(
1822
2143
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1823
2144
"org.freedesktop.DBus.Deprecated": "true"})
1824
2145
@dbus_service_property(_interface, signature="o", access="read")
1825
2146
def ObjectPath_dbus_property(self):
1826
return self.dbus_object_path # is already a dbus.ObjectPath
1827
2147
return self.dbus_object_path # is already a dbus.ObjectPath
2148
1828
2149
# Secret = property
1829
2150
@dbus_annotations(
1830
2151
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1835
2156
byte_arrays=True)
1836
2157
def Secret_dbus_property(self, value):
1837
2158
self.secret = bytes(value)
1838
2159
1839
2160
del _interface
1840
2161
1841
2162
1845
2166
self._pipe.send(('init', fpr, address))
1846
2167
if not self._pipe.recv():
1847
2168
raise KeyError(fpr)
1848
2169
1849
2170
def __getattribute__(self, name):
1850
2171
if name == '_pipe':
1851
2172
return super(ProxyClient, self).__getattribute__(name)
1854
2175
if data[0] == 'data':
1855
2176
return data[1]
1856
2177
if data[0] == 'function':
1857
2178
1858
2179
def func(*args, **kwargs):
1859
2180
self._pipe.send(('funcall', name, args, kwargs))
1860
2181
return self._pipe.recv()[1]
1861
2182
1862
2183
return func
1863
2184
1864
2185
def __setattr__(self, name, value):
1865
2186
if name == '_pipe':
1866
2187
return super(ProxyClient, self).__setattr__(name, value)
1869
2190
1870
2191
class ClientHandler(socketserver.BaseRequestHandler, object):
1871
2192
"""A class to handle client connections.
1872
2193
1873
2194
Instantiated once for each connection to handle it.
1874
2195
Note: This will run in its own forked process."""
1875
2196
1876
2197
def handle(self):
1877
2198
with contextlib.closing(self.server.child_pipe) as child_pipe:
1878
2199
logger.info("TCP connection from: %s",
1879
2200
str(self.client_address))
1880
2201
logger.debug("Pipe FD: %d",
1881
2202
self.server.child_pipe.fileno())
1882
1883
session = gnutls.connection.ClientSession(
1884
self.request, gnutls.connection .X509Credentials())
1885
1886
# Note: gnutls.connection.X509Credentials is really a
1887
# generic GnuTLS certificate credentials object so long as
1888
# no X.509 keys are added to it. Therefore, we can use it
1889
# here despite using OpenPGP certificates.
1890
1891
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1892
# "+AES-256-CBC", "+SHA1",
1893
# "+COMP-NULL", "+CTYPE-OPENPGP",
1894
# "+DHE-DSS"))
2203
2204
session = gnutls.ClientSession(self.request)
2205
2206
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2207
# "+AES-256-CBC", "+SHA1",
2208
# "+COMP-NULL", "+CTYPE-OPENPGP",
2209
# "+DHE-DSS"))
1895
2210
# Use a fallback default, since this MUST be set.
1896
2211
priority = self.server.gnutls_priority
1897
2212
if priority is None:
1898
2213
priority = "NORMAL"
1899
gnutls.library.functions.gnutls_priority_set_direct(
1900
session._c_object, priority, None)
1901
2214
gnutls.priority_set_direct(session._c_object,
2215
priority.encode("utf-8"),
2216
None)
2217
1902
2218
# Start communication using the Mandos protocol
1903
2219
# Get protocol number
1904
2220
line = self.request.makefile().readline()
1909
2225
except (ValueError, IndexError, RuntimeError) as error:
1910
2226
logger.error("Unknown protocol version: %s", error)
1911
2227
return
1912
2228
1913
2229
# Start GnuTLS connection
1914
2230
try:
1915
2231
session.handshake()
1916
except gnutls.errors.GNUTLSError as error:
2232
except gnutls.Error as error:
1917
2233
logger.warning("Handshake failed: %s", error)
1918
2234
# Do not run session.bye() here: the session is not
1919
2235
# established. Just abandon the request.
1920
2236
return
1921
2237
logger.debug("Handshake succeeded")
1922
2238
1923
2239
approval_required = False
1924
2240
try:
1925
2241
try:
1926
2242
fpr = self.fingerprint(
1927
2243
self.peer_certificate(session))
1928
except (TypeError,
1929
gnutls.errors.GNUTLSError) as error:
2244
except (TypeError, gnutls.Error) as error:
1930
2245
logger.warning("Bad certificate: %s", error)
1931
2246
return
1932
2247
logger.debug("Fingerprint: %s", fpr)
1933
2248
1934
2249
try:
1935
2250
client = ProxyClient(child_pipe, fpr,
1936
2251
self.client_address)
1937
2252
except KeyError:
1938
2253
return
1939
2254
1940
2255
if client.approval_delay:
1941
2256
delay = client.approval_delay
1942
2257
client.approvals_pending += 1
1943
2258
approval_required = True
1944
2259
1945
2260
while True:
1946
2261
if not client.enabled:
1947
2262
logger.info("Client %s is disabled",
1950
2265
# Emit D-Bus signal
1951
2266
client.Rejected("Disabled")
1952
2267
return
1953
2268
1954
2269
if client.approved or not client.approval_delay:
1955
#We are approved or approval is disabled
2270
# We are approved or approval is disabled
1956
2271
break
1957
2272
elif client.approved is None:
1958
2273
logger.info("Client %s needs approval",
1969
2284
# Emit D-Bus signal
1970
2285
client.Rejected("Denied")
1971
2286
return
1972
1973
#wait until timeout or approved
2287
2288
# wait until timeout or approved
1974
2289
time = datetime.datetime.now()
1975
2290
client.changedstate.acquire()
1976
2291
client.changedstate.wait(delay.total_seconds())
1989
2304
break
1990
2305
else:
1991
2306
delay -= time2 - time
1992
1993
sent_size = 0
1994
while sent_size < len(client.secret):
1995
try:
1996
sent = session.send(client.secret[sent_size:])
1997
except gnutls.errors.GNUTLSError as error:
1998
logger.warning("gnutls send failed",
1999
exc_info=error)
2000
return
2001
logger.debug("Sent: %d, remaining: %d", sent,
2002
len(client.secret) - (sent_size
2003
+ sent))
2004
sent_size += sent
2005
2307
2308
try:
2309
session.send(client.secret)
2310
except gnutls.Error as error:
2311
logger.warning("gnutls send failed",
2312
exc_info=error)
2313
return
2314
2006
2315
logger.info("Sending secret to %s", client.name)
2007
2316
# bump the timeout using extended_timeout
2008
2317
client.bump_timeout(client.extended_timeout)
2009
2318
if self.server.use_dbus:
2010
2319
# Emit D-Bus signal
2011
2320
client.GotSecret()
2012
2321
2013
2322
finally:
2014
2323
if approval_required:
2015
2324
client.approvals_pending -= 1
2016
2325
try:
2017
2326
session.bye()
2018
except gnutls.errors.GNUTLSError as error:
2327
except gnutls.Error as error:
2019
2328
logger.warning("GnuTLS bye failed",
2020
2329
exc_info=error)
2021
2330
2022
2331
@staticmethod
2023
2332
def peer_certificate(session):
2024
2333
"Return the peer's OpenPGP certificate as a bytestring"
2025
2334
# If not an OpenPGP certificate...
2026
if (gnutls.library.functions.gnutls_certificate_type_get(
2027
session._c_object)
2028
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2029
# ...do the normal thing
2030
return session.peer_certificate
2335
if (gnutls.certificate_type_get(session._c_object)
2336
!= gnutls.CRT_OPENPGP):
2337
# ...return invalid data
2338
return b""
2031
2339
list_size = ctypes.c_uint(1)
2032
cert_list = (gnutls.library.functions
2033
.gnutls_certificate_get_peers
2340
cert_list = (gnutls.certificate_get_peers
2034
2341
(session._c_object, ctypes.byref(list_size)))
2035
2342
if not bool(cert_list) and list_size.value != 0:
2036
raise gnutls.errors.GNUTLSError("error getting peer"
2037
" certificate")
2343
raise gnutls.Error("error getting peer certificate")
2038
2344
if list_size.value == 0:
2039
2345
return None
2040
2346
cert = cert_list[0]
2041
2347
return ctypes.string_at(cert.data, cert.size)
2042
2348
2043
2349
@staticmethod
2044
2350
def fingerprint(openpgp):
2045
2351
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2046
2352
# New GnuTLS "datum" with the OpenPGP public key
2047
datum = gnutls.library.types.gnutls_datum_t(
2353
datum = gnutls.datum_t(
2048
2354
ctypes.cast(ctypes.c_char_p(openpgp),
2049
2355
ctypes.POINTER(ctypes.c_ubyte)),
2050
2356
ctypes.c_uint(len(openpgp)))
2051
2357
# New empty GnuTLS certificate
2052
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2053
gnutls.library.functions.gnutls_openpgp_crt_init(
2054
ctypes.byref(crt))
2358
crt = gnutls.openpgp_crt_t()
2359
gnutls.openpgp_crt_init(ctypes.byref(crt))
2055
2360
# Import the OpenPGP public key into the certificate
2056
gnutls.library.functions.gnutls_openpgp_crt_import(
2057
crt, ctypes.byref(datum),
2058
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2361
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2362
gnutls.OPENPGP_FMT_RAW)
2059
2363
# Verify the self signature in the key
2060
2364
crtverify = ctypes.c_uint()
2061
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2062
crt, 0, ctypes.byref(crtverify))
2365
gnutls.openpgp_crt_verify_self(crt, 0,
2366
ctypes.byref(crtverify))
2063
2367
if crtverify.value != 0:
2064
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2065
raise gnutls.errors.CertificateSecurityError(
2066
"Verify failed")
2368
gnutls.openpgp_crt_deinit(crt)
2369
raise gnutls.CertificateSecurityError("Verify failed")
2067
2370
# New buffer for the fingerprint
2068
2371
buf = ctypes.create_string_buffer(20)
2069
2372
buf_len = ctypes.c_size_t()
2070
2373
# Get the fingerprint from the certificate into the buffer
2071
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2072
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2374
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2375
ctypes.byref(buf_len))
2073
2376
# Deinit the certificate
2074
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2377
gnutls.openpgp_crt_deinit(crt)
2075
2378
# Convert the buffer to a Python bytestring
2076
2379
fpr = ctypes.string_at(buf, buf_len.value)
2077
2380
# Convert the bytestring to hexadecimal notation
2081
2384
2082
2385
class MultiprocessingMixIn(object):
2083
2386
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2084
2387
2085
2388
def sub_process_main(self, request, address):
2086
2389
try:
2087
2390
self.finish_request(request, address)
2088
2391
except Exception:
2089
2392
self.handle_error(request, address)
2090
2393
self.close_request(request)
2091
2394
2092
2395
def process_request(self, request, address):
2093
2396
"""Start a new process to process the request."""
2094
proc = multiprocessing.Process(target = self.sub_process_main,
2095
args = (request, address))
2397
proc = multiprocessing.Process(target=self.sub_process_main,
2398
args=(request, address))
2096
2399
proc.start()
2097
2400
return proc
2098
2401
2099
2402
2100
2403
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2101
2404
""" adds a pipe to the MixIn """
2102
2405
2103
2406
def process_request(self, request, client_address):
2104
2407
"""Overrides and wraps the original process_request().
2105
2408
2106
2409
This function creates a new pipe in self.pipe
2107
2410
"""
2108
2411
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2109
2412
2110
2413
proc = MultiprocessingMixIn.process_request(self, request,
2111
2414
client_address)
2112
2415
self.child_pipe.close()
2113
2416
self.add_pipe(parent_pipe, proc)
2114
2417
2115
2418
def add_pipe(self, parent_pipe, proc):
2116
2419
"""Dummy function; override as necessary"""
2117
2420
raise NotImplementedError()
2120
2423
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2121
2424
socketserver.TCPServer, object):
2122
2425
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2123
2426
2124
2427
Attributes:
2125
2428
enabled: Boolean; whether this server is activated yet
2126
2429
interface: None or a network interface name (string)
2127
2430
use_ipv6: Boolean; to use IPv6 or not
2128
2431
"""
2129
2432
2130
2433
def __init__(self, server_address, RequestHandlerClass,
2131
2434
interface=None,
2132
2435
use_ipv6=True,
2142
2445
self.socketfd = socketfd
2143
2446
# Save the original socket.socket() function
2144
2447
self.socket_socket = socket.socket
2448
2145
2449
# To implement --socket, we monkey patch socket.socket.
2146
#
2450
#
2147
2451
# (When socketserver.TCPServer is a new-style class, we
2148
2452
# could make self.socket into a property instead of monkey
2149
2453
# patching socket.socket.)
2150
#
2454
#
2151
2455
# Create a one-time-only replacement for socket.socket()
2152
2456
@functools.wraps(socket.socket)
2153
2457
def socket_wrapper(*args, **kwargs):
2165
2469
# socket_wrapper(), if socketfd was set.
2166
2470
socketserver.TCPServer.__init__(self, server_address,
2167
2471
RequestHandlerClass)
2168
2472
2169
2473
def server_bind(self):
2170
2474
"""This overrides the normal server_bind() function
2171
2475
to bind to an interface if one was specified, and also NOT to
2172
2476
bind to an address or port if they were not specified."""
2477
global SO_BINDTODEVICE
2173
2478
if self.interface is not None:
2174
2479
if SO_BINDTODEVICE is None:
2175
logger.error("SO_BINDTODEVICE does not exist;"
2176
" cannot bind to interface %s",
2177
self.interface)
2178
else:
2179
try:
2180
self.socket.setsockopt(
2181
socket.SOL_SOCKET, SO_BINDTODEVICE,
2182
(self.interface + "\0").encode("utf-8"))
2183
except socket.error as error:
2184
if error.errno == errno.EPERM:
2185
logger.error("No permission to bind to"
2186
" interface %s", self.interface)
2187
elif error.errno == errno.ENOPROTOOPT:
2188
logger.error("SO_BINDTODEVICE not available;"
2189
" cannot bind to interface %s",
2190
self.interface)
2191
elif error.errno == errno.ENODEV:
2192
logger.error("Interface %s does not exist,"
2193
" cannot bind", self.interface)
2194
else:
2195
raise
2480
# Fall back to a hard-coded value which seems to be
2481
# common enough.
2482
logger.warning("SO_BINDTODEVICE not found, trying 25")
2483
SO_BINDTODEVICE = 25
2484
try:
2485
self.socket.setsockopt(
2486
socket.SOL_SOCKET, SO_BINDTODEVICE,
2487
(self.interface + "\0").encode("utf-8"))
2488
except socket.error as error:
2489
if error.errno == errno.EPERM:
2490
logger.error("No permission to bind to"
2491
" interface %s", self.interface)
2492
elif error.errno == errno.ENOPROTOOPT:
2493
logger.error("SO_BINDTODEVICE not available;"
2494
" cannot bind to interface %s",
2495
self.interface)
2496
elif error.errno == errno.ENODEV:
2497
logger.error("Interface %s does not exist,"
2498
" cannot bind", self.interface)
2499
else:
2500
raise
2196
2501
# Only bind(2) the socket if we really need to.
2197
2502
if self.server_address[0] or self.server_address[1]:
2198
2503
if not self.server_address[0]:
2199
2504
if self.address_family == socket.AF_INET6:
2200
any_address = "::" # in6addr_any
2505
any_address = "::" # in6addr_any
2201
2506
else:
2202
any_address = "0.0.0.0" # INADDR_ANY
2507
any_address = "0.0.0.0" # INADDR_ANY
2203
2508
self.server_address = (any_address,
2204
2509
self.server_address[1])
2205
2510
elif not self.server_address[1]:
2215
2520
2216
2521
class MandosServer(IPv6_TCPServer):
2217
2522
"""Mandos server.
2218
2523
2219
2524
Attributes:
2220
2525
clients: set of Client objects
2221
2526
gnutls_priority GnuTLS priority string
2222
2527
use_dbus: Boolean; to emit D-Bus signals or not
2223
2224
Assumes a gobject.MainLoop event loop.
2528
2529
Assumes a GLib.MainLoop event loop.
2225
2530
"""
2226
2531
2227
2532
def __init__(self, server_address, RequestHandlerClass,
2228
2533
interface=None,
2229
2534
use_ipv6=True,
2239
2544
self.gnutls_priority = gnutls_priority
2240
2545
IPv6_TCPServer.__init__(self, server_address,
2241
2546
RequestHandlerClass,
2242
interface = interface,
2243
use_ipv6 = use_ipv6,
2244
socketfd = socketfd)
2245
2547
interface=interface,
2548
use_ipv6=use_ipv6,
2549
socketfd=socketfd)
2550
2246
2551
def server_activate(self):
2247
2552
if self.enabled:
2248
2553
return socketserver.TCPServer.server_activate(self)
2249
2554
2250
2555
def enable(self):
2251
2556
self.enabled = True
2252
2557
2253
2558
def add_pipe(self, parent_pipe, proc):
2254
2559
# Call "handle_ipc" for both data and EOF events
2255
gobject.io_add_watch(
2560
GLib.io_add_watch(
2256
2561
parent_pipe.fileno(),
2257
gobject.IO_IN | gobject.IO_HUP,
2562
GLib.IO_IN | GLib.IO_HUP,
2258
2563
functools.partial(self.handle_ipc,
2259
parent_pipe = parent_pipe,
2260
proc = proc))
2261
2564
parent_pipe=parent_pipe,
2565
proc=proc))
2566
2262
2567
def handle_ipc(self, source, condition,
2263
2568
parent_pipe=None,
2264
proc = None,
2569
proc=None,
2265
2570
client_object=None):
2266
2571
# error, or the other end of multiprocessing.Pipe has closed
2267
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2572
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2268
2573
# Wait for other process to exit
2269
2574
proc.join()
2270
2575
return False
2271
2576
2272
2577
# Read a request from the child
2273
2578
request = parent_pipe.recv()
2274
2579
command = request[0]
2275
2580
2276
2581
if command == 'init':
2277
fpr = request[1]
2582
fpr = request[1].decode("ascii")
2278
2583
address = request[2]
2279
2280
for c in self.clients.itervalues():
2584
2585
for c in self.clients.values():
2281
2586
if c.fingerprint == fpr:
2282
2587
client = c
2283
2588
break
2290
2595
address[0])
2291
2596
parent_pipe.send(False)
2292
2597
return False
2293
2294
gobject.io_add_watch(
2598
2599
GLib.io_add_watch(
2295
2600
parent_pipe.fileno(),
2296
gobject.IO_IN | gobject.IO_HUP,
2601
GLib.IO_IN | GLib.IO_HUP,
2297
2602
functools.partial(self.handle_ipc,
2298
parent_pipe = parent_pipe,
2299
proc = proc,
2300
client_object = client))
2603
parent_pipe=parent_pipe,
2604
proc=proc,
2605
client_object=client))
2301
2606
parent_pipe.send(True)
2302
2607
# remove the old hook in favor of the new above hook on
2303
2608
# same fileno
2306
2611
funcname = request[1]
2307
2612
args = request[2]
2308
2613
kwargs = request[3]
2309
2614
2310
2615
parent_pipe.send(('data', getattr(client_object,
2311
2616
funcname)(*args,
2312
2617
**kwargs)))
2313
2618
2314
2619
if command == 'getattr':
2315
2620
attrname = request[1]
2316
2621
if isinstance(client_object.__getattribute__(attrname),
2319
2624
else:
2320
2625
parent_pipe.send((
2321
2626
'data', client_object.__getattribute__(attrname)))
2322
2627
2323
2628
if command == 'setattr':
2324
2629
attrname = request[1]
2325
2630
value = request[2]
2326
2631
setattr(client_object, attrname, value)
2327
2632
2328
2633
return True
2329
2634
2330
2635
2331
2636
def rfc3339_duration_to_delta(duration):
2332
2637
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2333
2638
2334
2639
>>> rfc3339_duration_to_delta("P7D")
2335
2640
datetime.timedelta(7)
2336
2641
>>> rfc3339_duration_to_delta("PT60S")
2346
2651
>>> rfc3339_duration_to_delta("P1DT3M20S")
2347
2652
datetime.timedelta(1, 200)
2348
2653
"""
2349
2654
2350
2655
# Parsing an RFC 3339 duration with regular expressions is not
2351
2656
# possible - there would have to be multiple places for the same
2352
2657
# values, like seconds. The current code, while more esoteric, is
2353
2658
# cleaner without depending on a parsing library. If Python had a
2354
2659
# built-in library for parsing we would use it, but we'd like to
2355
2660
# avoid excessive use of external libraries.
2356
2661
2357
2662
# New type for defining tokens, syntax, and semantics all-in-one
2358
2663
Token = collections.namedtuple("Token", (
2359
2664
"regexp", # To match token; if "value" is not None, must have
2392
2697
frozenset((token_year, token_month,
2393
2698
token_day, token_time,
2394
2699
token_week)))
2395
# Define starting values
2396
value = datetime.timedelta() # Value so far
2700
# Define starting values:
2701
# Value so far
2702
value = datetime.timedelta()
2397
2703
found_token = None
2398
followers = frozenset((token_duration, )) # Following valid tokens
2399
s = duration # String left to parse
2704
# Following valid tokens
2705
followers = frozenset((token_duration, ))
2706
# String left to parse
2707
s = duration
2400
2708
# Loop until end token is found
2401
2709
while found_token is not token_end:
2402
2710
# Search for any currently valid tokens
2426
2734
2427
2735
def string_to_delta(interval):
2428
2736
"""Parse a string and return a datetime.timedelta
2429
2737
2430
2738
>>> string_to_delta('7d')
2431
2739
datetime.timedelta(7)
2432
2740
>>> string_to_delta('60s')
2440
2748
>>> string_to_delta('5m 30s')
2441
2749
datetime.timedelta(0, 330)
2442
2750
"""
2443
2751
2444
2752
try:
2445
2753
return rfc3339_duration_to_delta(interval)
2446
2754
except ValueError:
2447
2755
pass
2448
2756
2449
2757
timevalue = datetime.timedelta(0)
2450
2758
for s in interval.split():
2451
2759
try:
2469
2777
return timevalue
2470
2778
2471
2779
2472
def daemon(nochdir = False, noclose = False):
2780
def daemon(nochdir=False, noclose=False):
2473
2781
"""See daemon(3). Standard BSD Unix function.
2474
2782
2475
2783
This should really exist as os.daemon, but it doesn't (yet)."""
2476
2784
if os.fork():
2477
2785
sys.exit()
2495
2803
2496
2804
2497
2805
def main():
2498
2806
2499
2807
##################################################################
2500
2808
# Parsing of options, both command line and config file
2501
2809
2502
2810
parser = argparse.ArgumentParser()
2503
2811
parser.add_argument("-v", "--version", action="version",
2504
version = "%(prog)s {}".format(version),
2812
version="%(prog)s {}".format(version),
2505
2813
help="show version number and exit")
2506
2814
parser.add_argument("-i", "--interface", metavar="IF",
2507
2815
help="Bind to interface IF")
2543
2851
parser.add_argument("--no-zeroconf", action="store_false",
2544
2852
dest="zeroconf", help="Do not use Zeroconf",
2545
2853
default=None)
2546
2854
2547
2855
options = parser.parse_args()
2548
2856
2549
2857
if options.check:
2550
2858
import doctest
2551
2859
fail_count, test_count = doctest.testmod()
2552
2860
sys.exit(os.EX_OK if fail_count == 0 else 1)
2553
2861
2554
2862
# Default values for config file for server-global settings
2555
server_defaults = { "interface": "",
2556
"address": "",
2557
"port": "",
2558
"debug": "False",
2559
"priority":
2560
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2561
":+SIGN-DSA-SHA256",
2562
"servicename": "Mandos",
2563
"use_dbus": "True",
2564
"use_ipv6": "True",
2565
"debuglevel": "",
2566
"restore": "True",
2567
"socket": "",
2568
"statedir": "/var/lib/mandos",
2569
"foreground": "False",
2570
"zeroconf": "True",
2571
}
2572
2863
server_defaults = {"interface": "",
2864
"address": "",
2865
"port": "",
2866
"debug": "False",
2867
"priority":
2868
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2869
":+SIGN-DSA-SHA256",
2870
"servicename": "Mandos",
2871
"use_dbus": "True",
2872
"use_ipv6": "True",
2873
"debuglevel": "",
2874
"restore": "True",
2875
"socket": "",
2876
"statedir": "/var/lib/mandos",
2877
"foreground": "False",
2878
"zeroconf": "True",
2879
}
2880
2573
2881
# Parse config file for server-global settings
2574
2882
server_config = configparser.SafeConfigParser(server_defaults)
2575
2883
del server_defaults
2577
2885
# Convert the SafeConfigParser object to a dict
2578
2886
server_settings = server_config.defaults()
2579
2887
# Use the appropriate methods on the non-string config options
2580
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2888
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2889
"foreground", "zeroconf"):
2581
2890
server_settings[option] = server_config.getboolean("DEFAULT",
2582
2891
option)
2583
2892
if server_settings["port"]:
2593
2902
server_settings["socket"] = os.dup(server_settings
2594
2903
["socket"])
2595
2904
del server_config
2596
2905
2597
2906
# Override the settings from the config file with command line
2598
2907
# options, if set.
2599
2908
for option in ("interface", "address", "port", "debug",
2617
2926
if server_settings["debug"]:
2618
2927
server_settings["foreground"] = True
2619
2928
# Now we have our good server settings in "server_settings"
2620
2929
2621
2930
##################################################################
2622
2931
2623
2932
if (not server_settings["zeroconf"]
2624
2933
and not (server_settings["port"]
2625
2934
or server_settings["socket"] != "")):
2626
2935
parser.error("Needs port or socket to work without Zeroconf")
2627
2936
2628
2937
# For convenience
2629
2938
debug = server_settings["debug"]
2630
2939
debuglevel = server_settings["debuglevel"]
2634
2943
stored_state_file)
2635
2944
foreground = server_settings["foreground"]
2636
2945
zeroconf = server_settings["zeroconf"]
2637
2946
2638
2947
if debug:
2639
2948
initlogger(debug, logging.DEBUG)
2640
2949
else:
2643
2952
else:
2644
2953
level = getattr(logging, debuglevel.upper())
2645
2954
initlogger(debug, level)
2646
2955
2647
2956
if server_settings["servicename"] != "Mandos":
2648
2957
syslogger.setFormatter(
2649
2958
logging.Formatter('Mandos ({}) [%(process)d]:'
2650
2959
' %(levelname)s: %(message)s'.format(
2651
2960
server_settings["servicename"])))
2652
2961
2653
2962
# Parse config file with clients
2654
2963
client_config = configparser.SafeConfigParser(Client
2655
2964
.client_defaults)
2656
2965
client_config.read(os.path.join(server_settings["configdir"],
2657
2966
"clients.conf"))
2658
2967
2659
2968
global mandos_dbus_service
2660
2969
mandos_dbus_service = None
2661
2970
2662
2971
socketfd = None
2663
2972
if server_settings["socket"] != "":
2664
2973
socketfd = server_settings["socket"]
2680
2989
except IOError as e:
2681
2990
logger.error("Could not open file %r", pidfilename,
2682
2991
exc_info=e)
2683
2684
for name in ("_mandos", "mandos", "nobody"):
2992
2993
for name, group in (("_mandos", "_mandos"),
2994
("mandos", "mandos"),
2995
("nobody", "nogroup")):
2685
2996
try:
2686
2997
uid = pwd.getpwnam(name).pw_uid
2687
gid = pwd.getpwnam(name).pw_gid
2998
gid = pwd.getpwnam(group).pw_gid
2688
2999
break
2689
3000
except KeyError:
2690
3001
continue
2694
3005
try:
2695
3006
os.setgid(gid)
2696
3007
os.setuid(uid)
3008
if debug:
3009
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3010
gid))
2697
3011
except OSError as error:
3012
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3013
.format(uid, gid, os.strerror(error.errno)))
2698
3014
if error.errno != errno.EPERM:
2699
3015
raise
2700
3016
2701
3017
if debug:
2702
3018
# Enable all possible GnuTLS debugging
2703
3019
2704
3020
# "Use a log level over 10 to enable all debugging options."
2705
3021
# - GnuTLS manual
2706
gnutls.library.functions.gnutls_global_set_log_level(11)
2707
2708
@gnutls.library.types.gnutls_log_func
3022
gnutls.global_set_log_level(11)
3023
3024
@gnutls.log_func
2709
3025
def debug_gnutls(level, string):
2710
3026
logger.debug("GnuTLS: %s", string[:-1])
2711
2712
gnutls.library.functions.gnutls_global_set_log_function(
2713
debug_gnutls)
2714
3027
3028
gnutls.global_set_log_function(debug_gnutls)
3029
2715
3030
# Redirect stdin so all checkers get /dev/null
2716
3031
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2717
3032
os.dup2(null, sys.stdin.fileno())
2718
3033
if null > 2:
2719
3034
os.close(null)
2720
3035
2721
3036
# Need to fork before connecting to D-Bus
2722
3037
if not foreground:
2723
3038
# Close all input and output, do double fork, etc.
2724
3039
daemon()
2725
2726
# multiprocessing will use threads, so before we use gobject we
2727
# need to inform gobject that threads will be used.
2728
gobject.threads_init()
2729
3040
3041
# multiprocessing will use threads, so before we use GLib we need
3042
# to inform GLib that threads will be used.
3043
GLib.threads_init()
3044
2730
3045
global main_loop
2731
3046
# From the Avahi example code
2732
3047
DBusGMainLoop(set_as_default=True)
2733
main_loop = gobject.MainLoop()
3048
main_loop = GLib.MainLoop()
2734
3049
bus = dbus.SystemBus()
2735
3050
# End of Avahi example code
2736
3051
if use_dbus:
2749
3064
if zeroconf:
2750
3065
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2751
3066
service = AvahiServiceToSyslog(
2752
name = server_settings["servicename"],
2753
servicetype = "_mandos._tcp",
2754
protocol = protocol,
2755
bus = bus)
3067
name=server_settings["servicename"],
3068
servicetype="_mandos._tcp",
3069
protocol=protocol,
3070
bus=bus)
2756
3071
if server_settings["interface"]:
2757
3072
service.interface = if_nametoindex(
2758
3073
server_settings["interface"].encode("utf-8"))
2759
3074
2760
3075
global multiprocessing_manager
2761
3076
multiprocessing_manager = multiprocessing.Manager()
2762
3077
2763
3078
client_class = Client
2764
3079
if use_dbus:
2765
client_class = functools.partial(ClientDBus, bus = bus)
2766
3080
client_class = functools.partial(ClientDBus, bus=bus)
3081
2767
3082
client_settings = Client.config_parser(client_config)
2768
3083
old_client_settings = {}
2769
3084
clients_data = {}
2770
3085
2771
3086
# This is used to redirect stdout and stderr for checker processes
2772
3087
global wnull
2773
wnull = open(os.devnull, "w") # A writable /dev/null
3088
wnull = open(os.devnull, "w") # A writable /dev/null
2774
3089
# Only used if server is running in foreground but not in debug
2775
3090
# mode
2776
3091
if debug or not foreground:
2777
3092
wnull.close()
2778
3093
2779
3094
# Get client data and settings from last running state.
2780
3095
if server_settings["restore"]:
2781
3096
try:
2782
3097
with open(stored_state_path, "rb") as stored_state:
2783
clients_data, old_client_settings = pickle.load(
2784
stored_state)
3098
if sys.version_info.major == 2:
3099
clients_data, old_client_settings = pickle.load(
3100
stored_state)
3101
else:
3102
bytes_clients_data, bytes_old_client_settings = (
3103
pickle.load(stored_state, encoding="bytes"))
3104
# Fix bytes to strings
3105
# clients_data
3106
# .keys()
3107
clients_data = {(key.decode("utf-8")
3108
if isinstance(key, bytes)
3109
else key): value
3110
for key, value in
3111
bytes_clients_data.items()}
3112
del bytes_clients_data
3113
for key in clients_data:
3114
value = {(k.decode("utf-8")
3115
if isinstance(k, bytes) else k): v
3116
for k, v in
3117
clients_data[key].items()}
3118
clients_data[key] = value
3119
# .client_structure
3120
value["client_structure"] = [
3121
(s.decode("utf-8")
3122
if isinstance(s, bytes)
3123
else s) for s in
3124
value["client_structure"]]
3125
# .name & .host
3126
for k in ("name", "host"):
3127
if isinstance(value[k], bytes):
3128
value[k] = value[k].decode("utf-8")
3129
# old_client_settings
3130
# .keys()
3131
old_client_settings = {
3132
(key.decode("utf-8")
3133
if isinstance(key, bytes)
3134
else key): value
3135
for key, value in
3136
bytes_old_client_settings.items()}
3137
del bytes_old_client_settings
3138
# .host
3139
for value in old_client_settings.values():
3140
if isinstance(value["host"], bytes):
3141
value["host"] = (value["host"]
3142
.decode("utf-8"))
2785
3143
os.remove(stored_state_path)
2786
3144
except IOError as e:
2787
3145
if e.errno == errno.ENOENT:
2795
3153
logger.warning("Could not load persistent state: "
2796
3154
"EOFError:",
2797
3155
exc_info=e)
2798
3156
2799
3157
with PGPEngine() as pgp:
2800
3158
for client_name, client in clients_data.items():
2801
3159
# Skip removed clients
2802
3160
if client_name not in client_settings:
2803
3161
continue
2804
3162
2805
3163
# Decide which value to use after restoring saved state.
2806
3164
# We have three different values: Old config file,
2807
3165
# new config file, and saved state.
2818
3176
client[name] = value
2819
3177
except KeyError:
2820
3178
pass
2821
3179
2822
3180
# Clients who has passed its expire date can still be
2823
3181
# enabled if its last checker was successful. A Client
2824
3182
# whose checker succeeded before we stored its state is
2857
3215
client_name))
2858
3216
client["secret"] = (client_settings[client_name]
2859
3217
["secret"])
2860
3218
2861
3219
# Add/remove clients based on new changes made to config
2862
3220
for client_name in (set(old_client_settings)
2863
3221
- set(client_settings)):
2865
3223
for client_name in (set(client_settings)
2866
3224
- set(old_client_settings)):
2867
3225
clients_data[client_name] = client_settings[client_name]
2868
3226
2869
3227
# Create all client objects
2870
3228
for client_name, client in clients_data.items():
2871
3229
tcp_server.clients[client_name] = client_class(
2872
name = client_name,
2873
settings = client,
2874
server_settings = server_settings)
2875
3230
name=client_name,
3231
settings=client,
3232
server_settings=server_settings)
3233
2876
3234
if not tcp_server.clients:
2877
3235
logger.warning("No clients defined")
2878
3236
2879
3237
if not foreground:
2880
3238
if pidfile is not None:
2881
3239
pid = os.getpid()
2887
3245
pidfilename, pid)
2888
3246
del pidfile
2889
3247
del pidfilename
2890
2891
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2892
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2893
3248
3249
for termsig in (signal.SIGHUP, signal.SIGTERM):
3250
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3251
lambda: main_loop.quit() and False)
3252
2894
3253
if use_dbus:
2895
3254
2896
3255
@alternate_dbus_interfaces(
2897
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3256
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2898
3257
class MandosDBusService(DBusObjectWithObjectManager):
2899
3258
"""A D-Bus proxy object"""
2900
3259
2901
3260
def __init__(self):
2902
3261
dbus.service.Object.__init__(self, bus, "/")
2903
3262
2904
3263
_interface = "se.recompile.Mandos"
2905
3264
2906
3265
@dbus.service.signal(_interface, signature="o")
2907
3266
def ClientAdded(self, objpath):
2908
3267
"D-Bus signal"
2909
3268
pass
2910
3269
2911
3270
@dbus.service.signal(_interface, signature="ss")
2912
3271
def ClientNotFound(self, fingerprint, address):
2913
3272
"D-Bus signal"
2914
3273
pass
2915
3274
2916
3275
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2917
3276
"true"})
2918
3277
@dbus.service.signal(_interface, signature="os")
2919
3278
def ClientRemoved(self, objpath, name):
2920
3279
"D-Bus signal"
2921
3280
pass
2922
3281
2923
3282
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2924
3283
"true"})
2925
3284
@dbus.service.method(_interface, out_signature="ao")
2926
3285
def GetAllClients(self):
2927
3286
"D-Bus method"
2928
3287
return dbus.Array(c.dbus_object_path for c in
2929
tcp_server.clients.itervalues())
2930
3288
tcp_server.clients.values())
3289
2931
3290
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2932
3291
"true"})
2933
3292
@dbus.service.method(_interface,
2935
3294
def GetAllClientsWithProperties(self):
2936
3295
"D-Bus method"
2937
3296
return dbus.Dictionary(
2938
{ c.dbus_object_path: c.GetAll(
3297
{c.dbus_object_path: c.GetAll(
2939
3298
"se.recompile.Mandos.Client")
2940
for c in tcp_server.clients.itervalues() },
3299
for c in tcp_server.clients.values()},
2941
3300
signature="oa{sv}")
2942
3301
2943
3302
@dbus.service.method(_interface, in_signature="o")
2944
3303
def RemoveClient(self, object_path):
2945
3304
"D-Bus method"
2946
for c in tcp_server.clients.itervalues():
3305
for c in tcp_server.clients.values():
2947
3306
if c.dbus_object_path == object_path:
2948
3307
del tcp_server.clients[c.name]
2949
3308
c.remove_from_connection()
2953
3312
self.client_removed_signal(c)
2954
3313
return
2955
3314
raise KeyError(object_path)
2956
3315
2957
3316
del _interface
2958
3317
2959
3318
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2960
out_signature = "a{oa{sa{sv}}}")
3319
out_signature="a{oa{sa{sv}}}")
2961
3320
def GetManagedObjects(self):
2962
3321
"""D-Bus method"""
2963
3322
return dbus.Dictionary(
2964
{ client.dbus_object_path:
2965
dbus.Dictionary(
2966
{ interface: client.GetAll(interface)
2967
for interface in
2968
client._get_all_interface_names()})
2969
for client in tcp_server.clients.values()})
2970
3323
{client.dbus_object_path:
3324
dbus.Dictionary(
3325
{interface: client.GetAll(interface)
3326
for interface in
3327
client._get_all_interface_names()})
3328
for client in tcp_server.clients.values()})
3329
2971
3330
def client_added_signal(self, client):
2972
3331
"""Send the new standard signal and the old signal"""
2973
3332
if use_dbus:
2975
3334
self.InterfacesAdded(
2976
3335
client.dbus_object_path,
2977
3336
dbus.Dictionary(
2978
{ interface: client.GetAll(interface)
2979
for interface in
2980
client._get_all_interface_names()}))
3337
{interface: client.GetAll(interface)
3338
for interface in
3339
client._get_all_interface_names()}))
2981
3340
# Old signal
2982
3341
self.ClientAdded(client.dbus_object_path)
2983
3342
2984
3343
def client_removed_signal(self, client):
2985
3344
"""Send the new standard signal and the old signal"""
2986
3345
if use_dbus:
2991
3350
# Old signal
2992
3351
self.ClientRemoved(client.dbus_object_path,
2993
3352
client.name)
2994
3353
2995
3354
mandos_dbus_service = MandosDBusService()
2996
3355
3356
# Save modules to variables to exempt the modules from being
3357
# unloaded before the function registered with atexit() is run.
3358
mp = multiprocessing
3359
wn = wnull
3360
2997
3361
def cleanup():
2998
3362
"Cleanup function; run on exit"
2999
3363
if zeroconf:
3000
3364
service.cleanup()
3001
3002
multiprocessing.active_children()
3003
wnull.close()
3365
3366
mp.active_children()
3367
wn.close()
3004
3368
if not (tcp_server.clients or client_settings):
3005
3369
return
3006
3370
3007
3371
# Store client before exiting. Secrets are encrypted with key
3008
3372
# based on what config file has. If config file is
3009
3373
# removed/edited, old secret will thus be unrecovable.
3010
3374
clients = {}
3011
3375
with PGPEngine() as pgp:
3012
for client in tcp_server.clients.itervalues():
3376
for client in tcp_server.clients.values():
3013
3377
key = client_settings[client.name]["secret"]
3014
3378
client.encrypted_secret = pgp.encrypt(client.secret,
3015
3379
key)
3016
3380
client_dict = {}
3017
3381
3018
3382
# A list of attributes that can not be pickled
3019
3383
# + secret.
3020
exclude = { "bus", "changedstate", "secret",
3021
"checker", "server_settings" }
3384
exclude = {"bus", "changedstate", "secret",
3385
"checker", "server_settings"}
3022
3386
for name, typ in inspect.getmembers(dbus.service
3023
3387
.Object):
3024
3388
exclude.add(name)
3025
3389
3026
3390
client_dict["encrypted_secret"] = (client
3027
3391
.encrypted_secret)
3028
3392
for attr in client.client_structure:
3029
3393
if attr not in exclude:
3030
3394
client_dict[attr] = getattr(client, attr)
3031
3395
3032
3396
clients[client.name] = client_dict
3033
3397
del client_settings[client.name]["secret"]
3034
3398
3035
3399
try:
3036
3400
with tempfile.NamedTemporaryFile(
3037
3401
mode='wb',
3039
3403
prefix='clients-',
3040
3404
dir=os.path.dirname(stored_state_path),
3041
3405
delete=False) as stored_state:
3042
pickle.dump((clients, client_settings), stored_state)
3406
pickle.dump((clients, client_settings), stored_state,
3407
protocol=2)
3043
3408
tempname = stored_state.name
3044
3409
os.rename(tempname, stored_state_path)
3045
3410
except (IOError, OSError) as e:
3055
3420
logger.warning("Could not save persistent state:",
3056
3421
exc_info=e)
3057
3422
raise
3058
3423
3059
3424
# Delete all clients, and settings from config
3060
3425
while tcp_server.clients:
3061
3426
name, client = tcp_server.clients.popitem()
3064
3429
# Don't signal the disabling
3065
3430
client.disable(quiet=True)
3066
3431
# Emit D-Bus signal for removal
3067
mandos_dbus_service.client_removed_signal(client)
3432
if use_dbus:
3433
mandos_dbus_service.client_removed_signal(client)
3068
3434
client_settings.clear()
3069
3435
3070
3436
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3437
3438
for client in tcp_server.clients.values():
3073
3439
if use_dbus:
3074
3440
# Emit D-Bus signal for adding
3075
3441
mandos_dbus_service.client_added_signal(client)
3076
3442
# Need to initiate checking of clients
3077
3443
if client.enabled:
3078
3444
client.init_checker()
3079
3445
3080
3446
tcp_server.enable()
3081
3447
tcp_server.server_activate()
3082
3448
3083
3449
# Find out what port we got
3084
3450
if zeroconf:
3085
3451
service.port = tcp_server.socket.getsockname()[1]
3090
3456
else: # IPv4
3091
3457
logger.info("Now listening on address %r, port %d",
3092
3458
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3459
3460
# service.interface = tcp_server.socket.getsockname()[3]
3461
3096
3462
try:
3097
3463
if zeroconf:
3098
3464
# From the Avahi example code
3103
3469
cleanup()
3104
3470
sys.exit(1)
3105
3471
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3472
3473
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3474
lambda *args, **kwargs:
3475
(tcp_server.handle_request
3476
(*args[2:], **kwargs) or True))
3477
3112
3478
logger.debug("Starting main loop")
3113
3479
main_loop.run()
3114
3480
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0