To get this branch, use:
bzr branch
http://bzr.recompile.se/loggerhead/mandos/trunk
« back to all changes in this revision
Viewing changes to mandos
- browse files at revision 922
- compare with another revision
- download diff
- download tarball
- view history from revision 922
- Committer: Teddy Hogeborn
- Date: 2018-02-08 10:02:51 UTC
- Revision ID: teddy@recompile.se-20180208100251-x7qq39sjsgk4r2sq
Update Debian watch file to version 4
* debian/watch (version): Change to "4".
(opts/pgpsigurlmangle): Remove.
(opts/pgpmode): New; set to "auto".
(URL): Change to "https://ftp.recompile.se/pub/@PACKAGE@/@PACKAGE@@ANY_VERSION@(?:\.orig)?@ARCHIVE_EXT@".
* debian/watch (version): Change to "4".
(opts/pgpsigurlmangle): Remove.
(opts/pgpmode): New; set to "auto".
(URL): Change to "https://ftp.recompile.se/pub/@PACKAGE@/@PACKAGE@@ANY_VERSION@(?:\.orig)?@ARCHIVE_EXT@".
added
removed
mandos
1
#!/usr/bin/python2.7
1
#!/usr/bin/python
2
2
# -*- mode: python; coding: utf-8 -*-
3
#
3
#
4
4
# Mandos server - give out binary blobs to connecting clients.
5
#
5
#
6
6
# This program is partly derived from an example program for an Avahi
7
7
# service publisher, downloaded from
8
8
# <http://avahi.org/wiki/PythonPublishExample>. This includes the
9
9
# methods "add", "remove", "server_state_changed",
10
10
# "entry_group_state_changed", "cleanup", and "activate" in the
11
11
# "AvahiService" class, and some lines in "main".
12
#
12
#
13
13
# Everything else is
14
# Copyright © 2008-2015 Teddy Hogeborn
15
# Copyright © 2008-2015 Björn Påhlsson
16
#
17
# This program is free software: you can redistribute it and/or modify
18
# it under the terms of the GNU General Public License as published by
14
# Copyright © 2008-2017 Teddy Hogeborn
15
# Copyright © 2008-2017 Björn Påhlsson
16
#
17
# This file is part of Mandos.
18
#
19
# Mandos is free software: you can redistribute it and/or modify it
20
# under the terms of the GNU General Public License as published by
19
21
# the Free Software Foundation, either version 3 of the License, or
20
22
# (at your option) any later version.
21
23
#
22
# This program is distributed in the hope that it will be useful,
23
# but WITHOUT ANY WARRANTY; without even the implied warranty of
24
# Mandos is distributed in the hope that it will be useful, but
25
# WITHOUT ANY WARRANTY; without even the implied warranty of
24
26
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25
27
# GNU General Public License for more details.
26
#
28
#
27
29
# You should have received a copy of the GNU General Public License
28
# along with this program. If not, see
29
# <http://www.gnu.org/licenses/>.
30
#
30
# along with Mandos. If not, see <http://www.gnu.org/licenses/>.
31
#
31
32
# Contact the authors at <mandos@recompile.se>.
32
#
33
#
33
34
34
35
from __future__ import (division, absolute_import, print_function,
35
36
unicode_literals)
36
37
37
from future_builtins import *
38
try:
39
from future_builtins import *
40
except ImportError:
41
pass
38
42
39
43
try:
40
44
import SocketServer as socketserver
44
48
import argparse
45
49
import datetime
46
50
import errno
47
import gnutls.connection
48
import gnutls.errors
49
import gnutls.library.functions
50
import gnutls.library.constants
51
import gnutls.library.types
52
51
try:
53
52
import ConfigParser as configparser
54
53
except ImportError:
81
80
82
81
import dbus
83
82
import dbus.service
84
try:
85
import gobject
86
except ImportError:
87
from gi.repository import GObject as gobject
88
import avahi
83
from gi.repository import GLib
89
84
from dbus.mainloop.glib import DBusGMainLoop
90
85
import ctypes
91
86
import ctypes.util
92
87
import xml.dom.minidom
93
88
import inspect
94
89
90
# Try to find the value of SO_BINDTODEVICE:
95
91
try:
92
# This is where SO_BINDTODEVICE is in Python 3.3 (or 3.4?) and
93
# newer, and it is also the most natural place for it:
96
94
SO_BINDTODEVICE = socket.SO_BINDTODEVICE
97
95
except AttributeError:
98
96
try:
97
# This is where SO_BINDTODEVICE was up to and including Python
98
# 2.6, and also 3.2:
99
99
from IN import SO_BINDTODEVICE
100
100
except ImportError:
101
SO_BINDTODEVICE = None
101
# In Python 2.7 it seems to have been removed entirely.
102
# Try running the C preprocessor:
103
try:
104
cc = subprocess.Popen(["cc", "--language=c", "-E",
105
"/dev/stdin"],
106
stdin=subprocess.PIPE,
107
stdout=subprocess.PIPE)
108
stdout = cc.communicate(
109
"#include <sys/socket.h>\nSO_BINDTODEVICE\n")[0]
110
SO_BINDTODEVICE = int(stdout.splitlines()[-1])
111
except (OSError, ValueError, IndexError):
112
# No value found
113
SO_BINDTODEVICE = None
102
114
103
115
if sys.version_info.major == 2:
104
116
str = unicode
105
117
106
version = "1.7.1"
118
version = "1.7.16"
107
119
stored_state_file = "clients.pickle"
108
120
109
121
logger = logging.getLogger()
113
125
if_nametoindex = ctypes.cdll.LoadLibrary(
114
126
ctypes.util.find_library("c")).if_nametoindex
115
127
except (OSError, AttributeError):
116
128
117
129
def if_nametoindex(interface):
118
130
"Get an interface index the hard way, i.e. using fcntl()"
119
131
SIOCGIFINDEX = 0x8933 # From /usr/include/linux/sockios.h
124
136
return interface_index
125
137
126
138
139
def copy_function(func):
140
"""Make a copy of a function"""
141
if sys.version_info.major == 2:
142
return types.FunctionType(func.func_code,
143
func.func_globals,
144
func.func_name,
145
func.func_defaults,
146
func.func_closure)
147
else:
148
return types.FunctionType(func.__code__,
149
func.__globals__,
150
func.__name__,
151
func.__defaults__,
152
func.__closure__)
153
154
127
155
def initlogger(debug, level=logging.WARNING):
128
156
"""init logger and add loglevel"""
129
157
130
158
global syslogger
131
159
syslogger = (logging.handlers.SysLogHandler(
132
facility = logging.handlers.SysLogHandler.LOG_DAEMON,
133
address = "/dev/log"))
160
facility=logging.handlers.SysLogHandler.LOG_DAEMON,
161
address="/dev/log"))
134
162
syslogger.setFormatter(logging.Formatter
135
163
('Mandos [%(process)d]: %(levelname)s:'
136
164
' %(message)s'))
137
165
logger.addHandler(syslogger)
138
166
139
167
if debug:
140
168
console = logging.StreamHandler()
141
169
console.setFormatter(logging.Formatter('%(asctime)s %(name)s'
153
181
154
182
class PGPEngine(object):
155
183
"""A simple class for OpenPGP symmetric encryption & decryption"""
156
184
157
185
def __init__(self):
158
186
self.tempdir = tempfile.mkdtemp(prefix="mandos-")
187
self.gpg = "gpg"
188
try:
189
output = subprocess.check_output(["gpgconf"])
190
for line in output.splitlines():
191
name, text, path = line.split(b":")
192
if name == "gpg":
193
self.gpg = path
194
break
195
except OSError as e:
196
if e.errno != errno.ENOENT:
197
raise
159
198
self.gnupgargs = ['--batch',
160
'--home', self.tempdir,
199
'--homedir', self.tempdir,
161
200
'--force-mdc',
162
'--quiet',
163
'--no-use-agent']
164
201
'--quiet']
202
# Only GPG version 1 has the --no-use-agent option.
203
if self.gpg == "gpg" or self.gpg.endswith("/gpg"):
204
self.gnupgargs.append("--no-use-agent")
205
165
206
def __enter__(self):
166
207
return self
167
208
168
209
def __exit__(self, exc_type, exc_value, traceback):
169
210
self._cleanup()
170
211
return False
171
212
172
213
def __del__(self):
173
214
self._cleanup()
174
215
175
216
def _cleanup(self):
176
217
if self.tempdir is not None:
177
218
# Delete contents of tempdir
178
219
for root, dirs, files in os.walk(self.tempdir,
179
topdown = False):
220
topdown=False):
180
221
for filename in files:
181
222
os.remove(os.path.join(root, filename))
182
223
for dirname in dirs:
184
225
# Remove tempdir
185
226
os.rmdir(self.tempdir)
186
227
self.tempdir = None
187
228
188
229
def password_encode(self, password):
189
230
# Passphrase can not be empty and can not contain newlines or
190
231
# NUL bytes. So we prefix it and hex encode it.
195
236
.replace(b"\n", b"\\n")
196
237
.replace(b"\0", b"\\x00"))
197
238
return encoded
198
239
199
240
def encrypt(self, data, password):
200
241
passphrase = self.password_encode(password)
201
242
with tempfile.NamedTemporaryFile(
202
243
dir=self.tempdir) as passfile:
203
244
passfile.write(passphrase)
204
245
passfile.flush()
205
proc = subprocess.Popen(['gpg', '--symmetric',
246
proc = subprocess.Popen([self.gpg, '--symmetric',
206
247
'--passphrase-file',
207
248
passfile.name]
208
249
+ self.gnupgargs,
209
stdin = subprocess.PIPE,
210
stdout = subprocess.PIPE,
211
stderr = subprocess.PIPE)
212
ciphertext, err = proc.communicate(input = data)
250
stdin=subprocess.PIPE,
251
stdout=subprocess.PIPE,
252
stderr=subprocess.PIPE)
253
ciphertext, err = proc.communicate(input=data)
213
254
if proc.returncode != 0:
214
255
raise PGPError(err)
215
256
return ciphertext
216
257
217
258
def decrypt(self, data, password):
218
259
passphrase = self.password_encode(password)
219
260
with tempfile.NamedTemporaryFile(
220
dir = self.tempdir) as passfile:
261
dir=self.tempdir) as passfile:
221
262
passfile.write(passphrase)
222
263
passfile.flush()
223
proc = subprocess.Popen(['gpg', '--decrypt',
264
proc = subprocess.Popen([self.gpg, '--decrypt',
224
265
'--passphrase-file',
225
266
passfile.name]
226
267
+ self.gnupgargs,
227
stdin = subprocess.PIPE,
228
stdout = subprocess.PIPE,
229
stderr = subprocess.PIPE)
230
decrypted_plaintext, err = proc.communicate(input = data)
268
stdin=subprocess.PIPE,
269
stdout=subprocess.PIPE,
270
stderr=subprocess.PIPE)
271
decrypted_plaintext, err = proc.communicate(input=data)
231
272
if proc.returncode != 0:
232
273
raise PGPError(err)
233
274
return decrypted_plaintext
234
275
235
276
277
# Pretend that we have an Avahi module
278
class Avahi(object):
279
"""This isn't so much a class as it is a module-like namespace.
280
It is instantiated once, and simulates having an Avahi module."""
281
IF_UNSPEC = -1 # avahi-common/address.h
282
PROTO_UNSPEC = -1 # avahi-common/address.h
283
PROTO_INET = 0 # avahi-common/address.h
284
PROTO_INET6 = 1 # avahi-common/address.h
285
DBUS_NAME = "org.freedesktop.Avahi"
286
DBUS_INTERFACE_ENTRY_GROUP = DBUS_NAME + ".EntryGroup"
287
DBUS_INTERFACE_SERVER = DBUS_NAME + ".Server"
288
DBUS_PATH_SERVER = "/"
289
290
def string_array_to_txt_array(self, t):
291
return dbus.Array((dbus.ByteArray(s.encode("utf-8"))
292
for s in t), signature="ay")
293
ENTRY_GROUP_ESTABLISHED = 2 # avahi-common/defs.h
294
ENTRY_GROUP_COLLISION = 3 # avahi-common/defs.h
295
ENTRY_GROUP_FAILURE = 4 # avahi-common/defs.h
296
SERVER_INVALID = 0 # avahi-common/defs.h
297
SERVER_REGISTERING = 1 # avahi-common/defs.h
298
SERVER_RUNNING = 2 # avahi-common/defs.h
299
SERVER_COLLISION = 3 # avahi-common/defs.h
300
SERVER_FAILURE = 4 # avahi-common/defs.h
301
avahi = Avahi()
302
303
236
304
class AvahiError(Exception):
237
305
def __init__(self, value, *args, **kwargs):
238
306
self.value = value
250
318
251
319
class AvahiService(object):
252
320
"""An Avahi (Zeroconf) service.
253
321
254
322
Attributes:
255
323
interface: integer; avahi.IF_UNSPEC or an interface index.
256
324
Used to optionally bind to the specified interface.
268
336
server: D-Bus Server
269
337
bus: dbus.SystemBus()
270
338
"""
271
339
272
340
def __init__(self,
273
interface = avahi.IF_UNSPEC,
274
name = None,
275
servicetype = None,
276
port = None,
277
TXT = None,
278
domain = "",
279
host = "",
280
max_renames = 32768,
281
protocol = avahi.PROTO_UNSPEC,
282
bus = None):
341
interface=avahi.IF_UNSPEC,
342
name=None,
343
servicetype=None,
344
port=None,
345
TXT=None,
346
domain="",
347
host="",
348
max_renames=32768,
349
protocol=avahi.PROTO_UNSPEC,
350
bus=None):
283
351
self.interface = interface
284
352
self.name = name
285
353
self.type = servicetype
294
362
self.server = None
295
363
self.bus = bus
296
364
self.entry_group_state_changed_match = None
297
365
298
366
def rename(self, remove=True):
299
367
"""Derived from the Avahi example code"""
300
368
if self.rename_count >= self.max_renames:
320
388
logger.critical("D-Bus Exception", exc_info=error)
321
389
self.cleanup()
322
390
os._exit(1)
323
391
324
392
def remove(self):
325
393
"""Derived from the Avahi example code"""
326
394
if self.entry_group_state_changed_match is not None:
328
396
self.entry_group_state_changed_match = None
329
397
if self.group is not None:
330
398
self.group.Reset()
331
399
332
400
def add(self):
333
401
"""Derived from the Avahi example code"""
334
402
self.remove()
351
419
dbus.UInt16(self.port),
352
420
avahi.string_array_to_txt_array(self.TXT))
353
421
self.group.Commit()
354
422
355
423
def entry_group_state_changed(self, state, error):
356
424
"""Derived from the Avahi example code"""
357
425
logger.debug("Avahi entry group state change: %i", state)
358
426
359
427
if state == avahi.ENTRY_GROUP_ESTABLISHED:
360
428
logger.debug("Zeroconf service established.")
361
429
elif state == avahi.ENTRY_GROUP_COLLISION:
365
433
logger.critical("Avahi: Error in group state changed %s",
366
434
str(error))
367
435
raise AvahiGroupError("State changed: {!s}".format(error))
368
436
369
437
def cleanup(self):
370
438
"""Derived from the Avahi example code"""
371
439
if self.group is not None:
376
444
pass
377
445
self.group = None
378
446
self.remove()
379
447
380
448
def server_state_changed(self, state, error=None):
381
449
"""Derived from the Avahi example code"""
382
450
logger.debug("Avahi server state change: %i", state)
411
479
logger.debug("Unknown state: %r", state)
412
480
else:
413
481
logger.debug("Unknown state: %r: %r", state, error)
414
482
415
483
def activate(self):
416
484
"""Derived from the Avahi example code"""
417
485
if self.server is None:
428
496
class AvahiServiceToSyslog(AvahiService):
429
497
def rename(self, *args, **kwargs):
430
498
"""Add the new name to the syslog messages"""
431
ret = AvahiService.rename(self, *args, **kwargs)
499
ret = super(AvahiServiceToSyslog, self).rename(self, *args,
500
**kwargs)
432
501
syslogger.setFormatter(logging.Formatter(
433
502
'Mandos ({}) [%(process)d]: %(levelname)s: %(message)s'
434
503
.format(self.name)))
435
504
return ret
436
505
506
507
# Pretend that we have a GnuTLS module
508
class GnuTLS(object):
509
"""This isn't so much a class as it is a module-like namespace.
510
It is instantiated once, and simulates having a GnuTLS module."""
511
512
library = ctypes.util.find_library("gnutls")
513
if library is None:
514
library = ctypes.util.find_library("gnutls-deb0")
515
_library = ctypes.cdll.LoadLibrary(library)
516
del library
517
_need_version = b"3.3.0"
518
519
def __init__(self):
520
# Need to use "self" here, since this method is called before
521
# the assignment to the "gnutls" global variable happens.
522
if self.check_version(self._need_version) is None:
523
raise self.Error("Needs GnuTLS {} or later"
524
.format(self._need_version))
525
526
# Unless otherwise indicated, the constants and types below are
527
# all from the gnutls/gnutls.h C header file.
528
529
# Constants
530
E_SUCCESS = 0
531
E_INTERRUPTED = -52
532
E_AGAIN = -28
533
CRT_OPENPGP = 2
534
CLIENT = 2
535
SHUT_RDWR = 0
536
CRD_CERTIFICATE = 1
537
E_NO_CERTIFICATE_FOUND = -49
538
OPENPGP_FMT_RAW = 0 # gnutls/openpgp.h
539
540
# Types
541
class session_int(ctypes.Structure):
542
_fields_ = []
543
session_t = ctypes.POINTER(session_int)
544
545
class certificate_credentials_st(ctypes.Structure):
546
_fields_ = []
547
certificate_credentials_t = ctypes.POINTER(
548
certificate_credentials_st)
549
certificate_type_t = ctypes.c_int
550
551
class datum_t(ctypes.Structure):
552
_fields_ = [('data', ctypes.POINTER(ctypes.c_ubyte)),
553
('size', ctypes.c_uint)]
554
555
class openpgp_crt_int(ctypes.Structure):
556
_fields_ = []
557
openpgp_crt_t = ctypes.POINTER(openpgp_crt_int)
558
openpgp_crt_fmt_t = ctypes.c_int # gnutls/openpgp.h
559
log_func = ctypes.CFUNCTYPE(None, ctypes.c_int, ctypes.c_char_p)
560
credentials_type_t = ctypes.c_int
561
transport_ptr_t = ctypes.c_void_p
562
close_request_t = ctypes.c_int
563
564
# Exceptions
565
class Error(Exception):
566
# We need to use the class name "GnuTLS" here, since this
567
# exception might be raised from within GnuTLS.__init__,
568
# which is called before the assignment to the "gnutls"
569
# global variable has happened.
570
def __init__(self, message=None, code=None, args=()):
571
# Default usage is by a message string, but if a return
572
# code is passed, convert it to a string with
573
# gnutls.strerror()
574
self.code = code
575
if message is None and code is not None:
576
message = GnuTLS.strerror(code)
577
return super(GnuTLS.Error, self).__init__(
578
message, *args)
579
580
class CertificateSecurityError(Error):
581
pass
582
583
# Classes
584
class Credentials(object):
585
def __init__(self):
586
self._c_object = gnutls.certificate_credentials_t()
587
gnutls.certificate_allocate_credentials(
588
ctypes.byref(self._c_object))
589
self.type = gnutls.CRD_CERTIFICATE
590
591
def __del__(self):
592
gnutls.certificate_free_credentials(self._c_object)
593
594
class ClientSession(object):
595
def __init__(self, socket, credentials=None):
596
self._c_object = gnutls.session_t()
597
gnutls.init(ctypes.byref(self._c_object), gnutls.CLIENT)
598
gnutls.set_default_priority(self._c_object)
599
gnutls.transport_set_ptr(self._c_object, socket.fileno())
600
gnutls.handshake_set_private_extensions(self._c_object,
601
True)
602
self.socket = socket
603
if credentials is None:
604
credentials = gnutls.Credentials()
605
gnutls.credentials_set(self._c_object, credentials.type,
606
ctypes.cast(credentials._c_object,
607
ctypes.c_void_p))
608
self.credentials = credentials
609
610
def __del__(self):
611
gnutls.deinit(self._c_object)
612
613
def handshake(self):
614
return gnutls.handshake(self._c_object)
615
616
def send(self, data):
617
data = bytes(data)
618
data_len = len(data)
619
while data_len > 0:
620
data_len -= gnutls.record_send(self._c_object,
621
data[-data_len:],
622
data_len)
623
624
def bye(self):
625
return gnutls.bye(self._c_object, gnutls.SHUT_RDWR)
626
627
# Error handling functions
628
def _error_code(result):
629
"""A function to raise exceptions on errors, suitable
630
for the 'restype' attribute on ctypes functions"""
631
if result >= 0:
632
return result
633
if result == gnutls.E_NO_CERTIFICATE_FOUND:
634
raise gnutls.CertificateSecurityError(code=result)
635
raise gnutls.Error(code=result)
636
637
def _retry_on_error(result, func, arguments):
638
"""A function to retry on some errors, suitable
639
for the 'errcheck' attribute on ctypes functions"""
640
while result < 0:
641
if result not in (gnutls.E_INTERRUPTED, gnutls.E_AGAIN):
642
return _error_code(result)
643
result = func(*arguments)
644
return result
645
646
# Unless otherwise indicated, the function declarations below are
647
# all from the gnutls/gnutls.h C header file.
648
649
# Functions
650
priority_set_direct = _library.gnutls_priority_set_direct
651
priority_set_direct.argtypes = [session_t, ctypes.c_char_p,
652
ctypes.POINTER(ctypes.c_char_p)]
653
priority_set_direct.restype = _error_code
654
655
init = _library.gnutls_init
656
init.argtypes = [ctypes.POINTER(session_t), ctypes.c_int]
657
init.restype = _error_code
658
659
set_default_priority = _library.gnutls_set_default_priority
660
set_default_priority.argtypes = [session_t]
661
set_default_priority.restype = _error_code
662
663
record_send = _library.gnutls_record_send
664
record_send.argtypes = [session_t, ctypes.c_void_p,
665
ctypes.c_size_t]
666
record_send.restype = ctypes.c_ssize_t
667
record_send.errcheck = _retry_on_error
668
669
certificate_allocate_credentials = (
670
_library.gnutls_certificate_allocate_credentials)
671
certificate_allocate_credentials.argtypes = [
672
ctypes.POINTER(certificate_credentials_t)]
673
certificate_allocate_credentials.restype = _error_code
674
675
certificate_free_credentials = (
676
_library.gnutls_certificate_free_credentials)
677
certificate_free_credentials.argtypes = [
678
certificate_credentials_t]
679
certificate_free_credentials.restype = None
680
681
handshake_set_private_extensions = (
682
_library.gnutls_handshake_set_private_extensions)
683
handshake_set_private_extensions.argtypes = [session_t,
684
ctypes.c_int]
685
handshake_set_private_extensions.restype = None
686
687
credentials_set = _library.gnutls_credentials_set
688
credentials_set.argtypes = [session_t, credentials_type_t,
689
ctypes.c_void_p]
690
credentials_set.restype = _error_code
691
692
strerror = _library.gnutls_strerror
693
strerror.argtypes = [ctypes.c_int]
694
strerror.restype = ctypes.c_char_p
695
696
certificate_type_get = _library.gnutls_certificate_type_get
697
certificate_type_get.argtypes = [session_t]
698
certificate_type_get.restype = _error_code
699
700
certificate_get_peers = _library.gnutls_certificate_get_peers
701
certificate_get_peers.argtypes = [session_t,
702
ctypes.POINTER(ctypes.c_uint)]
703
certificate_get_peers.restype = ctypes.POINTER(datum_t)
704
705
global_set_log_level = _library.gnutls_global_set_log_level
706
global_set_log_level.argtypes = [ctypes.c_int]
707
global_set_log_level.restype = None
708
709
global_set_log_function = _library.gnutls_global_set_log_function
710
global_set_log_function.argtypes = [log_func]
711
global_set_log_function.restype = None
712
713
deinit = _library.gnutls_deinit
714
deinit.argtypes = [session_t]
715
deinit.restype = None
716
717
handshake = _library.gnutls_handshake
718
handshake.argtypes = [session_t]
719
handshake.restype = _error_code
720
handshake.errcheck = _retry_on_error
721
722
transport_set_ptr = _library.gnutls_transport_set_ptr
723
transport_set_ptr.argtypes = [session_t, transport_ptr_t]
724
transport_set_ptr.restype = None
725
726
bye = _library.gnutls_bye
727
bye.argtypes = [session_t, close_request_t]
728
bye.restype = _error_code
729
bye.errcheck = _retry_on_error
730
731
check_version = _library.gnutls_check_version
732
check_version.argtypes = [ctypes.c_char_p]
733
check_version.restype = ctypes.c_char_p
734
735
# All the function declarations below are from gnutls/openpgp.h
736
737
openpgp_crt_init = _library.gnutls_openpgp_crt_init
738
openpgp_crt_init.argtypes = [ctypes.POINTER(openpgp_crt_t)]
739
openpgp_crt_init.restype = _error_code
740
741
openpgp_crt_import = _library.gnutls_openpgp_crt_import
742
openpgp_crt_import.argtypes = [openpgp_crt_t,
743
ctypes.POINTER(datum_t),
744
openpgp_crt_fmt_t]
745
openpgp_crt_import.restype = _error_code
746
747
openpgp_crt_verify_self = _library.gnutls_openpgp_crt_verify_self
748
openpgp_crt_verify_self.argtypes = [openpgp_crt_t, ctypes.c_uint,
749
ctypes.POINTER(ctypes.c_uint)]
750
openpgp_crt_verify_self.restype = _error_code
751
752
openpgp_crt_deinit = _library.gnutls_openpgp_crt_deinit
753
openpgp_crt_deinit.argtypes = [openpgp_crt_t]
754
openpgp_crt_deinit.restype = None
755
756
openpgp_crt_get_fingerprint = (
757
_library.gnutls_openpgp_crt_get_fingerprint)
758
openpgp_crt_get_fingerprint.argtypes = [openpgp_crt_t,
759
ctypes.c_void_p,
760
ctypes.POINTER(
761
ctypes.c_size_t)]
762
openpgp_crt_get_fingerprint.restype = _error_code
763
764
# Remove non-public functions
765
del _error_code, _retry_on_error
766
# Create the global "gnutls" object, simulating a module
767
gnutls = GnuTLS()
768
769
437
770
def call_pipe(connection, # : multiprocessing.Connection
438
771
func, *args, **kwargs):
439
772
"""This function is meant to be called by multiprocessing.Process
440
773
441
774
This function runs func(*args, **kwargs), and writes the resulting
442
775
return value on the provided multiprocessing.Connection.
443
776
"""
444
777
connection.send(func(*args, **kwargs))
445
778
connection.close()
446
779
780
447
781
class Client(object):
448
782
"""A representation of a client host served by this server.
449
783
450
784
Attributes:
451
785
approved: bool(); 'None' if not yet approved/disapproved
452
786
approval_delay: datetime.timedelta(); Time to wait for approval
454
788
checker: subprocess.Popen(); a running checker process used
455
789
to see if the client lives.
456
790
'None' if no process is running.
457
checker_callback_tag: a gobject event source tag, or None
791
checker_callback_tag: a GLib event source tag, or None
458
792
checker_command: string; External command which is run to check
459
793
if client lives. %() expansions are done at
460
794
runtime with vars(self) as dict, so that for
461
795
instance %(name)s can be used in the command.
462
checker_initiator_tag: a gobject event source tag, or None
796
checker_initiator_tag: a GLib event source tag, or None
463
797
created: datetime.datetime(); (UTC) object creation
464
798
client_structure: Object describing what attributes a client has
465
799
and is used for storing the client at exit
466
800
current_checker_command: string; current running checker_command
467
disable_initiator_tag: a gobject event source tag, or None
801
disable_initiator_tag: a GLib event source tag, or None
468
802
enabled: bool()
469
803
fingerprint: string (40 or 32 hexadecimal digits); used to
470
804
uniquely identify the client
489
823
disabled, or None
490
824
server_settings: The server_settings dict from main()
491
825
"""
492
826
493
827
runtime_expansions = ("approval_delay", "approval_duration",
494
828
"created", "enabled", "expires",
495
829
"fingerprint", "host", "interval",
506
840
"approved_by_default": "True",
507
841
"enabled": "True",
508
842
}
509
843
510
844
@staticmethod
511
845
def config_parser(config):
512
846
"""Construct a new dict of client settings of this form:
519
853
for client_name in config.sections():
520
854
section = dict(config.items(client_name))
521
855
client = settings[client_name] = {}
522
856
523
857
client["host"] = section["host"]
524
858
# Reformat values from string types to Python types
525
859
client["approved_by_default"] = config.getboolean(
526
860
client_name, "approved_by_default")
527
861
client["enabled"] = config.getboolean(client_name,
528
862
"enabled")
529
863
530
864
# Uppercase and remove spaces from fingerprint for later
531
865
# comparison purposes with return value from the
532
866
# fingerprint() function
533
867
client["fingerprint"] = (section["fingerprint"].upper()
534
868
.replace(" ", ""))
535
869
if "secret" in section:
536
client["secret"] = section["secret"].decode("base64")
870
client["secret"] = codecs.decode(section["secret"]
871
.encode("utf-8"),
872
"base64")
537
873
elif "secfile" in section:
538
874
with open(os.path.expanduser(os.path.expandvars
539
875
(section["secfile"])),
554
890
client["last_approval_request"] = None
555
891
client["last_checked_ok"] = None
556
892
client["last_checker_status"] = -2
557
893
558
894
return settings
559
560
def __init__(self, settings, name = None, server_settings=None):
895
896
def __init__(self, settings, name=None, server_settings=None):
561
897
self.name = name
562
898
if server_settings is None:
563
899
server_settings = {}
565
901
# adding all client settings
566
902
for setting, value in settings.items():
567
903
setattr(self, setting, value)
568
904
569
905
if self.enabled:
570
906
if not hasattr(self, "last_enabled"):
571
907
self.last_enabled = datetime.datetime.utcnow()
575
911
else:
576
912
self.last_enabled = None
577
913
self.expires = None
578
914
579
915
logger.debug("Creating client %r", self.name)
580
916
logger.debug(" Fingerprint: %s", self.fingerprint)
581
917
self.created = settings.get("created",
582
918
datetime.datetime.utcnow())
583
919
584
920
# attributes specific for this server instance
585
921
self.checker = None
586
922
self.checker_initiator_tag = None
592
928
self.changedstate = multiprocessing_manager.Condition(
593
929
multiprocessing_manager.Lock())
594
930
self.client_structure = [attr
595
for attr in self.__dict__.iterkeys()
931
for attr in self.__dict__.keys()
596
932
if not attr.startswith("_")]
597
933
self.client_structure.append("client_structure")
598
934
599
935
for name, t in inspect.getmembers(
600
936
type(self), lambda obj: isinstance(obj, property)):
601
937
if not name.startswith("_"):
602
938
self.client_structure.append(name)
603
939
604
940
# Send notice to process children that client state has changed
605
941
def send_changedstate(self):
606
942
with self.changedstate:
607
943
self.changedstate.notify_all()
608
944
609
945
def enable(self):
610
946
"""Start this client's checker and timeout hooks"""
611
947
if getattr(self, "enabled", False):
616
952
self.last_enabled = datetime.datetime.utcnow()
617
953
self.init_checker()
618
954
self.send_changedstate()
619
955
620
956
def disable(self, quiet=True):
621
957
"""Disable this client."""
622
958
if not getattr(self, "enabled", False):
624
960
if not quiet:
625
961
logger.info("Disabling client %s", self.name)
626
962
if getattr(self, "disable_initiator_tag", None) is not None:
627
gobject.source_remove(self.disable_initiator_tag)
963
GLib.source_remove(self.disable_initiator_tag)
628
964
self.disable_initiator_tag = None
629
965
self.expires = None
630
966
if getattr(self, "checker_initiator_tag", None) is not None:
631
gobject.source_remove(self.checker_initiator_tag)
967
GLib.source_remove(self.checker_initiator_tag)
632
968
self.checker_initiator_tag = None
633
969
self.stop_checker()
634
970
self.enabled = False
635
971
if not quiet:
636
972
self.send_changedstate()
637
# Do not run this again if called by a gobject.timeout_add
973
# Do not run this again if called by a GLib.timeout_add
638
974
return False
639
975
640
976
def __del__(self):
641
977
self.disable()
642
978
643
979
def init_checker(self):
644
980
# Schedule a new checker to be started an 'interval' from now,
645
981
# and every interval from then on.
646
982
if self.checker_initiator_tag is not None:
647
gobject.source_remove(self.checker_initiator_tag)
648
self.checker_initiator_tag = gobject.timeout_add(
983
GLib.source_remove(self.checker_initiator_tag)
984
self.checker_initiator_tag = GLib.timeout_add(
649
985
int(self.interval.total_seconds() * 1000),
650
986
self.start_checker)
651
987
# Schedule a disable() when 'timeout' has passed
652
988
if self.disable_initiator_tag is not None:
653
gobject.source_remove(self.disable_initiator_tag)
654
self.disable_initiator_tag = gobject.timeout_add(
989
GLib.source_remove(self.disable_initiator_tag)
990
self.disable_initiator_tag = GLib.timeout_add(
655
991
int(self.timeout.total_seconds() * 1000), self.disable)
656
992
# Also start a new checker *right now*.
657
993
self.start_checker()
658
994
659
995
def checker_callback(self, source, condition, connection,
660
996
command):
661
997
"""The checker has completed, so take appropriate actions."""
664
1000
# Read return code from connection (see call_pipe)
665
1001
returncode = connection.recv()
666
1002
connection.close()
667
1003
668
1004
if returncode >= 0:
669
1005
self.last_checker_status = returncode
670
1006
self.last_checker_signal = None
680
1016
logger.warning("Checker for %(name)s crashed?",
681
1017
vars(self))
682
1018
return False
683
1019
684
1020
def checked_ok(self):
685
1021
"""Assert that the client has been seen, alive and well."""
686
1022
self.last_checked_ok = datetime.datetime.utcnow()
687
1023
self.last_checker_status = 0
688
1024
self.last_checker_signal = None
689
1025
self.bump_timeout()
690
1026
691
1027
def bump_timeout(self, timeout=None):
692
1028
"""Bump up the timeout for this client."""
693
1029
if timeout is None:
694
1030
timeout = self.timeout
695
1031
if self.disable_initiator_tag is not None:
696
gobject.source_remove(self.disable_initiator_tag)
1032
GLib.source_remove(self.disable_initiator_tag)
697
1033
self.disable_initiator_tag = None
698
1034
if getattr(self, "enabled", False):
699
self.disable_initiator_tag = gobject.timeout_add(
1035
self.disable_initiator_tag = GLib.timeout_add(
700
1036
int(timeout.total_seconds() * 1000), self.disable)
701
1037
self.expires = datetime.datetime.utcnow() + timeout
702
1038
703
1039
def need_approval(self):
704
1040
self.last_approval_request = datetime.datetime.utcnow()
705
1041
706
1042
def start_checker(self):
707
1043
"""Start a new checker subprocess if one is not running.
708
1044
709
1045
If a checker already exists, leave it running and do
710
1046
nothing."""
711
1047
# The reason for not killing a running checker is that if we
716
1052
# checkers alone, the checker would have to take more time
717
1053
# than 'timeout' for the client to be disabled, which is as it
718
1054
# should be.
719
1055
720
1056
if self.checker is not None and not self.checker.is_alive():
721
1057
logger.warning("Checker was not alive; joining")
722
1058
self.checker.join()
726
1062
# Escape attributes for the shell
727
1063
escaped_attrs = {
728
1064
attr: re.escape(str(getattr(self, attr)))
729
for attr in self.runtime_expansions }
1065
for attr in self.runtime_expansions}
730
1066
try:
731
1067
command = self.checker_command % escaped_attrs
732
1068
except TypeError as error:
744
1080
# The exception is when not debugging but nevertheless
745
1081
# running in the foreground; use the previously
746
1082
# created wnull.
747
popen_args = { "close_fds": True,
748
"shell": True,
749
"cwd": "/" }
1083
popen_args = {"close_fds": True,
1084
"shell": True,
1085
"cwd": "/"}
750
1086
if (not self.server_settings["debug"]
751
1087
and self.server_settings["foreground"]):
752
1088
popen_args.update({"stdout": wnull,
753
"stderr": wnull })
754
pipe = multiprocessing.Pipe(duplex = False)
1089
"stderr": wnull})
1090
pipe = multiprocessing.Pipe(duplex=False)
755
1091
self.checker = multiprocessing.Process(
756
target = call_pipe,
757
args = (pipe[1], subprocess.call, command),
758
kwargs = popen_args)
1092
target=call_pipe,
1093
args=(pipe[1], subprocess.call, command),
1094
kwargs=popen_args)
759
1095
self.checker.start()
760
self.checker_callback_tag = gobject.io_add_watch(
761
pipe[0].fileno(), gobject.IO_IN,
1096
self.checker_callback_tag = GLib.io_add_watch(
1097
pipe[0].fileno(), GLib.IO_IN,
762
1098
self.checker_callback, pipe[0], command)
763
# Re-run this periodically if run by gobject.timeout_add
1099
# Re-run this periodically if run by GLib.timeout_add
764
1100
return True
765
1101
766
1102
def stop_checker(self):
767
1103
"""Force the checker process, if any, to stop."""
768
1104
if self.checker_callback_tag:
769
gobject.source_remove(self.checker_callback_tag)
1105
GLib.source_remove(self.checker_callback_tag)
770
1106
self.checker_callback_tag = None
771
1107
if getattr(self, "checker", None) is None:
772
1108
return
781
1117
byte_arrays=False):
782
1118
"""Decorators for marking methods of a DBusObjectWithProperties to
783
1119
become properties on the D-Bus.
784
1120
785
1121
The decorated method will be called with no arguments by "Get"
786
1122
and with one argument by "Set".
787
1123
788
1124
The parameters, where they are supported, are the same as
789
1125
dbus.service.method, except there is only "signature", since the
790
1126
type from Get() and the type sent to Set() is the same.
794
1130
if byte_arrays and signature != "ay":
795
1131
raise ValueError("Byte arrays not supported for non-'ay'"
796
1132
" signature {!r}".format(signature))
797
1133
798
1134
def decorator(func):
799
1135
func._dbus_is_property = True
800
1136
func._dbus_interface = dbus_interface
803
1139
func._dbus_name = func.__name__
804
1140
if func._dbus_name.endswith("_dbus_property"):
805
1141
func._dbus_name = func._dbus_name[:-14]
806
func._dbus_get_args_options = {'byte_arrays': byte_arrays }
1142
func._dbus_get_args_options = {'byte_arrays': byte_arrays}
807
1143
return func
808
1144
809
1145
return decorator
810
1146
811
1147
812
1148
def dbus_interface_annotations(dbus_interface):
813
1149
"""Decorator for marking functions returning interface annotations
814
1150
815
1151
Usage:
816
1152
817
1153
@dbus_interface_annotations("org.example.Interface")
818
1154
def _foo(self): # Function name does not matter
819
1155
return {"org.freedesktop.DBus.Deprecated": "true",
820
1156
"org.freedesktop.DBus.Property.EmitsChangedSignal":
821
1157
"false"}
822
1158
"""
823
1159
824
1160
def decorator(func):
825
1161
func._dbus_is_interface = True
826
1162
func._dbus_interface = dbus_interface
827
1163
func._dbus_name = dbus_interface
828
1164
return func
829
1165
830
1166
return decorator
831
1167
832
1168
833
1169
def dbus_annotations(annotations):
834
1170
"""Decorator to annotate D-Bus methods, signals or properties
835
1171
Usage:
836
1172
837
1173
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true",
838
1174
"org.freedesktop.DBus.Property."
839
1175
"EmitsChangedSignal": "false"})
841
1177
access="r")
842
1178
def Property_dbus_property(self):
843
1179
return dbus.Boolean(False)
844
1180
845
1181
See also the DBusObjectWithAnnotations class.
846
1182
"""
847
1183
848
1184
def decorator(func):
849
1185
func._dbus_annotations = annotations
850
1186
return func
851
1187
852
1188
return decorator
853
1189
854
1190
872
1208
873
1209
class DBusObjectWithAnnotations(dbus.service.Object):
874
1210
"""A D-Bus object with annotations.
875
1211
876
1212
Classes inheriting from this can use the dbus_annotations
877
1213
decorator to add annotations to methods or signals.
878
1214
"""
879
1215
880
1216
@staticmethod
881
1217
def _is_dbus_thing(thing):
882
1218
"""Returns a function testing if an attribute is a D-Bus thing
883
1219
884
1220
If called like _is_dbus_thing("method") it returns a function
885
1221
suitable for use as predicate to inspect.getmembers().
886
1222
"""
887
1223
return lambda obj: getattr(obj, "_dbus_is_{}".format(thing),
888
1224
False)
889
1225
890
1226
def _get_all_dbus_things(self, thing):
891
1227
"""Returns a generator of (name, attribute) pairs
892
1228
"""
895
1231
for cls in self.__class__.__mro__
896
1232
for name, athing in
897
1233
inspect.getmembers(cls, self._is_dbus_thing(thing)))
898
1234
899
1235
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
900
out_signature = "s",
901
path_keyword = 'object_path',
902
connection_keyword = 'connection')
1236
out_signature="s",
1237
path_keyword='object_path',
1238
connection_keyword='connection')
903
1239
def Introspect(self, object_path, connection):
904
1240
"""Overloading of standard D-Bus method.
905
1241
906
1242
Inserts annotation tags on methods and signals.
907
1243
"""
908
1244
xmlstring = dbus.service.Object.Introspect(self, object_path,
909
1245
connection)
910
1246
try:
911
1247
document = xml.dom.minidom.parseString(xmlstring)
912
1248
913
1249
for if_tag in document.getElementsByTagName("interface"):
914
1250
# Add annotation tags
915
1251
for typ in ("method", "signal"):
942
1278
if_tag.appendChild(ann_tag)
943
1279
# Fix argument name for the Introspect method itself
944
1280
if (if_tag.getAttribute("name")
945
== dbus.INTROSPECTABLE_IFACE):
1281
== dbus.INTROSPECTABLE_IFACE):
946
1282
for cn in if_tag.getElementsByTagName("method"):
947
1283
if cn.getAttribute("name") == "Introspect":
948
1284
for arg in cn.getElementsByTagName("arg"):
961
1297
962
1298
class DBusObjectWithProperties(DBusObjectWithAnnotations):
963
1299
"""A D-Bus object with properties.
964
1300
965
1301
Classes inheriting from this can use the dbus_service_property
966
1302
decorator to expose methods as D-Bus properties. It exposes the
967
1303
standard Get(), Set(), and GetAll() methods on the D-Bus.
968
1304
"""
969
1305
970
1306
def _get_dbus_property(self, interface_name, property_name):
971
1307
"""Returns a bound method if one exists which is a D-Bus
972
1308
property with the specified name and interface.
977
1313
if (value._dbus_name == property_name
978
1314
and value._dbus_interface == interface_name):
979
1315
return value.__get__(self)
980
1316
981
1317
# No such property
982
1318
raise DBusPropertyNotFound("{}:{}.{}".format(
983
1319
self.dbus_object_path, interface_name, property_name))
984
1320
985
1321
@classmethod
986
1322
def _get_all_interface_names(cls):
987
1323
"""Get a sequence of all interfaces supported by an object"""
990
1326
for x in (inspect.getmro(cls))
991
1327
for attr in dir(x))
992
1328
if name is not None)
993
1329
994
1330
@dbus.service.method(dbus.PROPERTIES_IFACE,
995
1331
in_signature="ss",
996
1332
out_signature="v")
1004
1340
if not hasattr(value, "variant_level"):
1005
1341
return value
1006
1342
return type(value)(value, variant_level=value.variant_level+1)
1007
1343
1008
1344
@dbus.service.method(dbus.PROPERTIES_IFACE, in_signature="ssv")
1009
1345
def Set(self, interface_name, property_name, value):
1010
1346
"""Standard D-Bus property Set() method, see D-Bus standard.
1022
1358
value = dbus.ByteArray(b''.join(chr(byte)
1023
1359
for byte in value))
1024
1360
prop(value)
1025
1361
1026
1362
@dbus.service.method(dbus.PROPERTIES_IFACE,
1027
1363
in_signature="s",
1028
1364
out_signature="a{sv}")
1029
1365
def GetAll(self, interface_name):
1030
1366
"""Standard D-Bus property GetAll() method, see D-Bus
1031
1367
standard.
1032
1368
1033
1369
Note: Will not include properties with access="write".
1034
1370
"""
1035
1371
properties = {}
1046
1382
properties[name] = value
1047
1383
continue
1048
1384
properties[name] = type(value)(
1049
value, variant_level = value.variant_level + 1)
1385
value, variant_level=value.variant_level + 1)
1050
1386
return dbus.Dictionary(properties, signature="sv")
1051
1387
1052
1388
@dbus.service.signal(dbus.PROPERTIES_IFACE, signature="sa{sv}as")
1053
1389
def PropertiesChanged(self, interface_name, changed_properties,
1054
1390
invalidated_properties):
1056
1392
standard.
1057
1393
"""
1058
1394
pass
1059
1395
1060
1396
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1061
1397
out_signature="s",
1062
1398
path_keyword='object_path',
1063
1399
connection_keyword='connection')
1064
1400
def Introspect(self, object_path, connection):
1065
1401
"""Overloading of standard D-Bus method.
1066
1402
1067
1403
Inserts property tags and interface annotation tags.
1068
1404
"""
1069
1405
xmlstring = DBusObjectWithAnnotations.Introspect(self,
1071
1407
connection)
1072
1408
try:
1073
1409
document = xml.dom.minidom.parseString(xmlstring)
1074
1410
1075
1411
def make_tag(document, name, prop):
1076
1412
e = document.createElement("property")
1077
1413
e.setAttribute("name", name)
1078
1414
e.setAttribute("type", prop._dbus_signature)
1079
1415
e.setAttribute("access", prop._dbus_access)
1080
1416
return e
1081
1417
1082
1418
for if_tag in document.getElementsByTagName("interface"):
1083
1419
# Add property tags
1084
1420
for tag in (make_tag(document, name, prop)
1126
1462
exc_info=error)
1127
1463
return xmlstring
1128
1464
1465
1129
1466
try:
1130
1467
dbus.OBJECT_MANAGER_IFACE
1131
1468
except AttributeError:
1132
1469
dbus.OBJECT_MANAGER_IFACE = "org.freedesktop.DBus.ObjectManager"
1133
1470
1471
1134
1472
class DBusObjectWithObjectManager(DBusObjectWithAnnotations):
1135
1473
"""A D-Bus object with an ObjectManager.
1136
1474
1137
1475
Classes inheriting from this exposes the standard
1138
1476
GetManagedObjects call and the InterfacesAdded and
1139
1477
InterfacesRemoved signals on the standard
1140
1478
"org.freedesktop.DBus.ObjectManager" interface.
1141
1479
1142
1480
Note: No signals are sent automatically; they must be sent
1143
1481
manually.
1144
1482
"""
1145
1483
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
1146
out_signature = "a{oa{sa{sv}}}")
1484
out_signature="a{oa{sa{sv}}}")
1147
1485
def GetManagedObjects(self):
1148
1486
"""This function must be overridden"""
1149
1487
raise NotImplementedError()
1150
1488
1151
1489
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE,
1152
signature = "oa{sa{sv}}")
1490
signature="oa{sa{sv}}")
1153
1491
def InterfacesAdded(self, object_path, interfaces_and_properties):
1154
1492
pass
1155
1156
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature = "oas")
1493
1494
@dbus.service.signal(dbus.OBJECT_MANAGER_IFACE, signature="oas")
1157
1495
def InterfacesRemoved(self, object_path, interfaces):
1158
1496
pass
1159
1497
1160
1498
@dbus.service.method(dbus.INTROSPECTABLE_IFACE,
1161
out_signature = "s",
1162
path_keyword = 'object_path',
1163
connection_keyword = 'connection')
1499
out_signature="s",
1500
path_keyword='object_path',
1501
connection_keyword='connection')
1164
1502
def Introspect(self, object_path, connection):
1165
1503
"""Overloading of standard D-Bus method.
1166
1504
1167
1505
Override return argument name of GetManagedObjects to be
1168
1506
"objpath_interfaces_and_properties"
1169
1507
"""
1172
1510
connection)
1173
1511
try:
1174
1512
document = xml.dom.minidom.parseString(xmlstring)
1175
1513
1176
1514
for if_tag in document.getElementsByTagName("interface"):
1177
1515
# Fix argument name for the GetManagedObjects method
1178
1516
if (if_tag.getAttribute("name")
1179
== dbus.OBJECT_MANAGER_IFACE):
1517
== dbus.OBJECT_MANAGER_IFACE):
1180
1518
for cn in if_tag.getElementsByTagName("method"):
1181
1519
if (cn.getAttribute("name")
1182
1520
== "GetManagedObjects"):
1192
1530
except (AttributeError, xml.dom.DOMException,
1193
1531
xml.parsers.expat.ExpatError) as error:
1194
1532
logger.error("Failed to override Introspection method",
1195
exc_info = error)
1533
exc_info=error)
1196
1534
return xmlstring
1197
1535
1536
1198
1537
def datetime_to_dbus(dt, variant_level=0):
1199
1538
"""Convert a UTC datetime.datetime() to a D-Bus type."""
1200
1539
if dt is None:
1201
return dbus.String("", variant_level = variant_level)
1540
return dbus.String("", variant_level=variant_level)
1202
1541
return dbus.String(dt.isoformat(), variant_level=variant_level)
1203
1542
1204
1543
1207
1546
dbus.service.Object, it will add alternate D-Bus attributes with
1208
1547
interface names according to the "alt_interface_names" mapping.
1209
1548
Usage:
1210
1549
1211
1550
@alternate_dbus_interfaces({"org.example.Interface":
1212
1551
"net.example.AlternateInterface"})
1213
1552
class SampleDBusObject(dbus.service.Object):
1214
1553
@dbus.service.method("org.example.Interface")
1215
1554
def SampleDBusMethod():
1216
1555
pass
1217
1556
1218
1557
The above "SampleDBusMethod" on "SampleDBusObject" will be
1219
1558
reachable via two interfaces: "org.example.Interface" and
1220
1559
"net.example.AlternateInterface", the latter of which will have
1221
1560
its D-Bus annotation "org.freedesktop.DBus.Deprecated" set to
1222
1561
"true", unless "deprecate" is passed with a False value.
1223
1562
1224
1563
This works for methods and signals, and also for D-Bus properties
1225
1564
(from DBusObjectWithProperties) and interfaces (from the
1226
1565
dbus_interface_annotations decorator).
1227
1566
"""
1228
1567
1229
1568
def wrapper(cls):
1230
1569
for orig_interface_name, alt_interface_name in (
1231
1570
alt_interface_names.items()):
1246
1585
interface_names.add(alt_interface)
1247
1586
# Is this a D-Bus signal?
1248
1587
if getattr(attribute, "_dbus_is_signal", False):
1588
# Extract the original non-method undecorated
1589
# function by black magic
1249
1590
if sys.version_info.major == 2:
1250
# Extract the original non-method undecorated
1251
# function by black magic
1252
1591
nonmethod_func = (dict(
1253
1592
zip(attribute.func_code.co_freevars,
1254
1593
attribute.__closure__))
1255
1594
["func"].cell_contents)
1256
1595
else:
1257
nonmethod_func = attribute
1596
nonmethod_func = (dict(
1597
zip(attribute.__code__.co_freevars,
1598
attribute.__closure__))
1599
["func"].cell_contents)
1258
1600
# Create a new, but exactly alike, function
1259
1601
# object, and decorate it to be a new D-Bus signal
1260
1602
# with the alternate D-Bus interface name
1261
if sys.version_info.major == 2:
1262
new_function = types.FunctionType(
1263
nonmethod_func.func_code,
1264
nonmethod_func.func_globals,
1265
nonmethod_func.func_name,
1266
nonmethod_func.func_defaults,
1267
nonmethod_func.func_closure)
1268
else:
1269
new_function = types.FunctionType(
1270
nonmethod_func.__code__,
1271
nonmethod_func.__globals__,
1272
nonmethod_func.__name__,
1273
nonmethod_func.__defaults__,
1274
nonmethod_func.__closure__)
1603
new_function = copy_function(nonmethod_func)
1275
1604
new_function = (dbus.service.signal(
1276
1605
alt_interface,
1277
1606
attribute._dbus_signature)(new_function))
1281
1610
attribute._dbus_annotations)
1282
1611
except AttributeError:
1283
1612
pass
1613
1284
1614
# Define a creator of a function to call both the
1285
1615
# original and alternate functions, so both the
1286
1616
# original and alternate signals gets sent when
1289
1619
"""This function is a scope container to pass
1290
1620
func1 and func2 to the "call_both" function
1291
1621
outside of its arguments"""
1292
1622
1293
1623
@functools.wraps(func2)
1294
1624
def call_both(*args, **kwargs):
1295
1625
"""This function will emit two D-Bus
1296
1626
signals by calling func1 and func2"""
1297
1627
func1(*args, **kwargs)
1298
1628
func2(*args, **kwargs)
1299
# Make wrapper function look like a D-Bus signal
1629
# Make wrapper function look like a D-Bus
1630
# signal
1300
1631
for name, attr in inspect.getmembers(func2):
1301
1632
if name.startswith("_dbus_"):
1302
1633
setattr(call_both, name, attr)
1303
1634
1304
1635
return call_both
1305
1636
# Create the "call_both" function and add it to
1306
1637
# the class
1316
1647
alt_interface,
1317
1648
attribute._dbus_in_signature,
1318
1649
attribute._dbus_out_signature)
1319
(types.FunctionType(attribute.func_code,
1320
attribute.func_globals,
1321
attribute.func_name,
1322
attribute.func_defaults,
1323
attribute.func_closure)))
1650
(copy_function(attribute)))
1324
1651
# Copy annotations, if any
1325
1652
try:
1326
1653
attr[attrname]._dbus_annotations = dict(
1338
1665
attribute._dbus_access,
1339
1666
attribute._dbus_get_args_options
1340
1667
["byte_arrays"])
1341
(types.FunctionType(
1342
attribute.func_code,
1343
attribute.func_globals,
1344
attribute.func_name,
1345
attribute.func_defaults,
1346
attribute.func_closure)))
1668
(copy_function(attribute)))
1347
1669
# Copy annotations, if any
1348
1670
try:
1349
1671
attr[attrname]._dbus_annotations = dict(
1358
1680
# to the class.
1359
1681
attr[attrname] = (
1360
1682
dbus_interface_annotations(alt_interface)
1361
(types.FunctionType(attribute.func_code,
1362
attribute.func_globals,
1363
attribute.func_name,
1364
attribute.func_defaults,
1365
attribute.func_closure)))
1683
(copy_function(attribute)))
1366
1684
if deprecate:
1367
1685
# Deprecate all alternate interfaces
1368
iname="_AlternateDBusNames_interface_annotation{}"
1686
iname = "_AlternateDBusNames_interface_annotation{}"
1369
1687
for interface_name in interface_names:
1370
1688
1371
1689
@dbus_interface_annotations(interface_name)
1372
1690
def func(self):
1373
return { "org.freedesktop.DBus.Deprecated":
1374
"true" }
1691
return {"org.freedesktop.DBus.Deprecated":
1692
"true"}
1375
1693
# Find an unused name
1376
1694
for aname in (iname.format(i)
1377
1695
for i in itertools.count()):
1381
1699
if interface_names:
1382
1700
# Replace the class with a new subclass of it with
1383
1701
# methods, signals, etc. as created above.
1384
cls = type(b"{}Alternate".format(cls.__name__),
1385
(cls, ), attr)
1702
if sys.version_info.major == 2:
1703
cls = type(b"{}Alternate".format(cls.__name__),
1704
(cls, ), attr)
1705
else:
1706
cls = type("{}Alternate".format(cls.__name__),
1707
(cls, ), attr)
1386
1708
return cls
1387
1709
1388
1710
return wrapper
1389
1711
1390
1712
1392
1714
"se.bsnet.fukt.Mandos"})
1393
1715
class ClientDBus(Client, DBusObjectWithProperties):
1394
1716
"""A Client class using D-Bus
1395
1717
1396
1718
Attributes:
1397
1719
dbus_object_path: dbus.ObjectPath
1398
1720
bus: dbus.SystemBus()
1399
1721
"""
1400
1722
1401
1723
runtime_expansions = (Client.runtime_expansions
1402
1724
+ ("dbus_object_path", ))
1403
1725
1404
1726
_interface = "se.recompile.Mandos.Client"
1405
1727
1406
1728
# dbus.service.Object doesn't use super(), so we can't either.
1407
1408
def __init__(self, bus = None, *args, **kwargs):
1729
1730
def __init__(self, bus=None, *args, **kwargs):
1409
1731
self.bus = bus
1410
1732
Client.__init__(self, *args, **kwargs)
1411
1733
# Only now, when this client is initialized, can it show up on
1417
1739
"/clients/" + client_object_name)
1418
1740
DBusObjectWithProperties.__init__(self, self.bus,
1419
1741
self.dbus_object_path)
1420
1742
1421
1743
def notifychangeproperty(transform_func, dbus_name,
1422
1744
type_func=lambda x: x,
1423
1745
variant_level=1,
1425
1747
_interface=_interface):
1426
1748
""" Modify a variable so that it's a property which announces
1427
1749
its changes to DBus.
1428
1750
1429
1751
transform_fun: Function that takes a value and a variant_level
1430
1752
and transforms it to a D-Bus type.
1431
1753
dbus_name: D-Bus name of the variable
1434
1756
variant_level: D-Bus variant level. Default: 1
1435
1757
"""
1436
1758
attrname = "_{}".format(dbus_name)
1437
1759
1438
1760
def setter(self, value):
1439
1761
if hasattr(self, "dbus_object_path"):
1440
1762
if (not hasattr(self, attrname) or
1447
1769
else:
1448
1770
dbus_value = transform_func(
1449
1771
type_func(value),
1450
variant_level = variant_level)
1772
variant_level=variant_level)
1451
1773
self.PropertyChanged(dbus.String(dbus_name),
1452
1774
dbus_value)
1453
1775
self.PropertiesChanged(
1454
1776
_interface,
1455
dbus.Dictionary({ dbus.String(dbus_name):
1456
dbus_value }),
1777
dbus.Dictionary({dbus.String(dbus_name):
1778
dbus_value}),
1457
1779
dbus.Array())
1458
1780
setattr(self, attrname, value)
1459
1781
1460
1782
return property(lambda self: getattr(self, attrname), setter)
1461
1783
1462
1784
expires = notifychangeproperty(datetime_to_dbus, "Expires")
1463
1785
approvals_pending = notifychangeproperty(dbus.Boolean,
1464
1786
"ApprovalPending",
1465
type_func = bool)
1787
type_func=bool)
1466
1788
enabled = notifychangeproperty(dbus.Boolean, "Enabled")
1467
1789
last_enabled = notifychangeproperty(datetime_to_dbus,
1468
1790
"LastEnabled")
1469
1791
checker = notifychangeproperty(
1470
1792
dbus.Boolean, "CheckerRunning",
1471
type_func = lambda checker: checker is not None)
1793
type_func=lambda checker: checker is not None)
1472
1794
last_checked_ok = notifychangeproperty(datetime_to_dbus,
1473
1795
"LastCheckedOK")
1474
1796
last_checker_status = notifychangeproperty(dbus.Int16,
1479
1801
"ApprovedByDefault")
1480
1802
approval_delay = notifychangeproperty(
1481
1803
dbus.UInt64, "ApprovalDelay",
1482
type_func = lambda td: td.total_seconds() * 1000)
1804
type_func=lambda td: td.total_seconds() * 1000)
1483
1805
approval_duration = notifychangeproperty(
1484
1806
dbus.UInt64, "ApprovalDuration",
1485
type_func = lambda td: td.total_seconds() * 1000)
1807
type_func=lambda td: td.total_seconds() * 1000)
1486
1808
host = notifychangeproperty(dbus.String, "Host")
1487
1809
timeout = notifychangeproperty(
1488
1810
dbus.UInt64, "Timeout",
1489
type_func = lambda td: td.total_seconds() * 1000)
1811
type_func=lambda td: td.total_seconds() * 1000)
1490
1812
extended_timeout = notifychangeproperty(
1491
1813
dbus.UInt64, "ExtendedTimeout",
1492
type_func = lambda td: td.total_seconds() * 1000)
1814
type_func=lambda td: td.total_seconds() * 1000)
1493
1815
interval = notifychangeproperty(
1494
1816
dbus.UInt64, "Interval",
1495
type_func = lambda td: td.total_seconds() * 1000)
1817
type_func=lambda td: td.total_seconds() * 1000)
1496
1818
checker_command = notifychangeproperty(dbus.String, "Checker")
1497
1819
secret = notifychangeproperty(dbus.ByteArray, "Secret",
1498
1820
invalidate_only=True)
1499
1821
1500
1822
del notifychangeproperty
1501
1823
1502
1824
def __del__(self, *args, **kwargs):
1503
1825
try:
1504
1826
self.remove_from_connection()
1507
1829
if hasattr(DBusObjectWithProperties, "__del__"):
1508
1830
DBusObjectWithProperties.__del__(self, *args, **kwargs)
1509
1831
Client.__del__(self, *args, **kwargs)
1510
1832
1511
1833
def checker_callback(self, source, condition,
1512
1834
connection, command, *args, **kwargs):
1513
1835
ret = Client.checker_callback(self, source, condition,
1529
1851
| self.last_checker_signal),
1530
1852
dbus.String(command))
1531
1853
return ret
1532
1854
1533
1855
def start_checker(self, *args, **kwargs):
1534
1856
old_checker_pid = getattr(self.checker, "pid", None)
1535
1857
r = Client.start_checker(self, *args, **kwargs)
1539
1861
# Emit D-Bus signal
1540
1862
self.CheckerStarted(self.current_checker_command)
1541
1863
return r
1542
1864
1543
1865
def _reset_approved(self):
1544
1866
self.approved = None
1545
1867
return False
1546
1868
1547
1869
def approve(self, value=True):
1548
1870
self.approved = value
1549
gobject.timeout_add(int(self.approval_duration.total_seconds()
1550
* 1000), self._reset_approved)
1871
GLib.timeout_add(int(self.approval_duration.total_seconds()
1872
* 1000), self._reset_approved)
1551
1873
self.send_changedstate()
1552
1553
## D-Bus methods, signals & properties
1554
1555
## Interfaces
1556
1557
## Signals
1558
1874
1875
# D-Bus methods, signals & properties
1876
1877
# Interfaces
1878
1879
# Signals
1880
1559
1881
# CheckerCompleted - signal
1560
1882
@dbus.service.signal(_interface, signature="nxs")
1561
1883
def CheckerCompleted(self, exitcode, waitstatus, command):
1562
1884
"D-Bus signal"
1563
1885
pass
1564
1886
1565
1887
# CheckerStarted - signal
1566
1888
@dbus.service.signal(_interface, signature="s")
1567
1889
def CheckerStarted(self, command):
1568
1890
"D-Bus signal"
1569
1891
pass
1570
1892
1571
1893
# PropertyChanged - signal
1572
1894
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1573
1895
@dbus.service.signal(_interface, signature="sv")
1574
1896
def PropertyChanged(self, property, value):
1575
1897
"D-Bus signal"
1576
1898
pass
1577
1899
1578
1900
# GotSecret - signal
1579
1901
@dbus.service.signal(_interface)
1580
1902
def GotSecret(self):
1583
1905
server to mandos-client
1584
1906
"""
1585
1907
pass
1586
1908
1587
1909
# Rejected - signal
1588
1910
@dbus.service.signal(_interface, signature="s")
1589
1911
def Rejected(self, reason):
1590
1912
"D-Bus signal"
1591
1913
pass
1592
1914
1593
1915
# NeedApproval - signal
1594
1916
@dbus.service.signal(_interface, signature="tb")
1595
1917
def NeedApproval(self, timeout, default):
1596
1918
"D-Bus signal"
1597
1919
return self.need_approval()
1598
1599
## Methods
1600
1920
1921
# Methods
1922
1601
1923
# Approve - method
1602
1924
@dbus.service.method(_interface, in_signature="b")
1603
1925
def Approve(self, value):
1604
1926
self.approve(value)
1605
1927
1606
1928
# CheckedOK - method
1607
1929
@dbus.service.method(_interface)
1608
1930
def CheckedOK(self):
1609
1931
self.checked_ok()
1610
1932
1611
1933
# Enable - method
1612
1934
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1613
1935
@dbus.service.method(_interface)
1614
1936
def Enable(self):
1615
1937
"D-Bus method"
1616
1938
self.enable()
1617
1939
1618
1940
# StartChecker - method
1619
1941
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1620
1942
@dbus.service.method(_interface)
1621
1943
def StartChecker(self):
1622
1944
"D-Bus method"
1623
1945
self.start_checker()
1624
1946
1625
1947
# Disable - method
1626
1948
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1627
1949
@dbus.service.method(_interface)
1628
1950
def Disable(self):
1629
1951
"D-Bus method"
1630
1952
self.disable()
1631
1953
1632
1954
# StopChecker - method
1633
1955
@dbus_annotations({"org.freedesktop.DBus.Deprecated": "true"})
1634
1956
@dbus.service.method(_interface)
1635
1957
def StopChecker(self):
1636
1958
self.stop_checker()
1637
1638
## Properties
1639
1959
1960
# Properties
1961
1640
1962
# ApprovalPending - property
1641
1963
@dbus_service_property(_interface, signature="b", access="read")
1642
1964
def ApprovalPending_dbus_property(self):
1643
1965
return dbus.Boolean(bool(self.approvals_pending))
1644
1966
1645
1967
# ApprovedByDefault - property
1646
1968
@dbus_service_property(_interface,
1647
1969
signature="b",
1650
1972
if value is None: # get
1651
1973
return dbus.Boolean(self.approved_by_default)
1652
1974
self.approved_by_default = bool(value)
1653
1975
1654
1976
# ApprovalDelay - property
1655
1977
@dbus_service_property(_interface,
1656
1978
signature="t",
1660
1982
return dbus.UInt64(self.approval_delay.total_seconds()
1661
1983
* 1000)
1662
1984
self.approval_delay = datetime.timedelta(0, 0, 0, value)
1663
1985
1664
1986
# ApprovalDuration - property
1665
1987
@dbus_service_property(_interface,
1666
1988
signature="t",
1670
1992
return dbus.UInt64(self.approval_duration.total_seconds()
1671
1993
* 1000)
1672
1994
self.approval_duration = datetime.timedelta(0, 0, 0, value)
1673
1995
1674
1996
# Name - property
1675
1997
@dbus_annotations(
1676
1998
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1677
1999
@dbus_service_property(_interface, signature="s", access="read")
1678
2000
def Name_dbus_property(self):
1679
2001
return dbus.String(self.name)
1680
2002
1681
2003
# Fingerprint - property
1682
2004
@dbus_annotations(
1683
2005
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1684
2006
@dbus_service_property(_interface, signature="s", access="read")
1685
2007
def Fingerprint_dbus_property(self):
1686
2008
return dbus.String(self.fingerprint)
1687
2009
1688
2010
# Host - property
1689
2011
@dbus_service_property(_interface,
1690
2012
signature="s",
1693
2015
if value is None: # get
1694
2016
return dbus.String(self.host)
1695
2017
self.host = str(value)
1696
2018
1697
2019
# Created - property
1698
2020
@dbus_annotations(
1699
2021
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const"})
1700
2022
@dbus_service_property(_interface, signature="s", access="read")
1701
2023
def Created_dbus_property(self):
1702
2024
return datetime_to_dbus(self.created)
1703
2025
1704
2026
# LastEnabled - property
1705
2027
@dbus_service_property(_interface, signature="s", access="read")
1706
2028
def LastEnabled_dbus_property(self):
1707
2029
return datetime_to_dbus(self.last_enabled)
1708
2030
1709
2031
# Enabled - property
1710
2032
@dbus_service_property(_interface,
1711
2033
signature="b",
1717
2039
self.enable()
1718
2040
else:
1719
2041
self.disable()
1720
2042
1721
2043
# LastCheckedOK - property
1722
2044
@dbus_service_property(_interface,
1723
2045
signature="s",
1727
2049
self.checked_ok()
1728
2050
return
1729
2051
return datetime_to_dbus(self.last_checked_ok)
1730
2052
1731
2053
# LastCheckerStatus - property
1732
2054
@dbus_service_property(_interface, signature="n", access="read")
1733
2055
def LastCheckerStatus_dbus_property(self):
1734
2056
return dbus.Int16(self.last_checker_status)
1735
2057
1736
2058
# Expires - property
1737
2059
@dbus_service_property(_interface, signature="s", access="read")
1738
2060
def Expires_dbus_property(self):
1739
2061
return datetime_to_dbus(self.expires)
1740
2062
1741
2063
# LastApprovalRequest - property
1742
2064
@dbus_service_property(_interface, signature="s", access="read")
1743
2065
def LastApprovalRequest_dbus_property(self):
1744
2066
return datetime_to_dbus(self.last_approval_request)
1745
2067
1746
2068
# Timeout - property
1747
2069
@dbus_service_property(_interface,
1748
2070
signature="t",
1763
2085
if (getattr(self, "disable_initiator_tag", None)
1764
2086
is None):
1765
2087
return
1766
gobject.source_remove(self.disable_initiator_tag)
1767
self.disable_initiator_tag = gobject.timeout_add(
2088
GLib.source_remove(self.disable_initiator_tag)
2089
self.disable_initiator_tag = GLib.timeout_add(
1768
2090
int((self.expires - now).total_seconds() * 1000),
1769
2091
self.disable)
1770
2092
1771
2093
# ExtendedTimeout - property
1772
2094
@dbus_service_property(_interface,
1773
2095
signature="t",
1777
2099
return dbus.UInt64(self.extended_timeout.total_seconds()
1778
2100
* 1000)
1779
2101
self.extended_timeout = datetime.timedelta(0, 0, 0, value)
1780
2102
1781
2103
# Interval - property
1782
2104
@dbus_service_property(_interface,
1783
2105
signature="t",
1790
2112
return
1791
2113
if self.enabled:
1792
2114
# Reschedule checker run
1793
gobject.source_remove(self.checker_initiator_tag)
1794
self.checker_initiator_tag = gobject.timeout_add(
2115
GLib.source_remove(self.checker_initiator_tag)
2116
self.checker_initiator_tag = GLib.timeout_add(
1795
2117
value, self.start_checker)
1796
self.start_checker() # Start one now, too
1797
2118
self.start_checker() # Start one now, too
2119
1798
2120
# Checker - property
1799
2121
@dbus_service_property(_interface,
1800
2122
signature="s",
1803
2125
if value is None: # get
1804
2126
return dbus.String(self.checker_command)
1805
2127
self.checker_command = str(value)
1806
2128
1807
2129
# CheckerRunning - property
1808
2130
@dbus_service_property(_interface,
1809
2131
signature="b",
1815
2137
self.start_checker()
1816
2138
else:
1817
2139
self.stop_checker()
1818
2140
1819
2141
# ObjectPath - property
1820
2142
@dbus_annotations(
1821
2143
{"org.freedesktop.DBus.Property.EmitsChangedSignal": "const",
1822
2144
"org.freedesktop.DBus.Deprecated": "true"})
1823
2145
@dbus_service_property(_interface, signature="o", access="read")
1824
2146
def ObjectPath_dbus_property(self):
1825
return self.dbus_object_path # is already a dbus.ObjectPath
1826
2147
return self.dbus_object_path # is already a dbus.ObjectPath
2148
1827
2149
# Secret = property
1828
2150
@dbus_annotations(
1829
2151
{"org.freedesktop.DBus.Property.EmitsChangedSignal":
1834
2156
byte_arrays=True)
1835
2157
def Secret_dbus_property(self, value):
1836
2158
self.secret = bytes(value)
1837
2159
1838
2160
del _interface
1839
2161
1840
2162
1844
2166
self._pipe.send(('init', fpr, address))
1845
2167
if not self._pipe.recv():
1846
2168
raise KeyError(fpr)
1847
2169
1848
2170
def __getattribute__(self, name):
1849
2171
if name == '_pipe':
1850
2172
return super(ProxyClient, self).__getattribute__(name)
1853
2175
if data[0] == 'data':
1854
2176
return data[1]
1855
2177
if data[0] == 'function':
1856
2178
1857
2179
def func(*args, **kwargs):
1858
2180
self._pipe.send(('funcall', name, args, kwargs))
1859
2181
return self._pipe.recv()[1]
1860
2182
1861
2183
return func
1862
2184
1863
2185
def __setattr__(self, name, value):
1864
2186
if name == '_pipe':
1865
2187
return super(ProxyClient, self).__setattr__(name, value)
1868
2190
1869
2191
class ClientHandler(socketserver.BaseRequestHandler, object):
1870
2192
"""A class to handle client connections.
1871
2193
1872
2194
Instantiated once for each connection to handle it.
1873
2195
Note: This will run in its own forked process."""
1874
2196
1875
2197
def handle(self):
1876
2198
with contextlib.closing(self.server.child_pipe) as child_pipe:
1877
2199
logger.info("TCP connection from: %s",
1878
2200
str(self.client_address))
1879
2201
logger.debug("Pipe FD: %d",
1880
2202
self.server.child_pipe.fileno())
1881
1882
session = gnutls.connection.ClientSession(
1883
self.request, gnutls.connection.X509Credentials())
1884
1885
# Note: gnutls.connection.X509Credentials is really a
1886
# generic GnuTLS certificate credentials object so long as
1887
# no X.509 keys are added to it. Therefore, we can use it
1888
# here despite using OpenPGP certificates.
1889
1890
#priority = ':'.join(("NONE", "+VERS-TLS1.1",
1891
# "+AES-256-CBC", "+SHA1",
1892
# "+COMP-NULL", "+CTYPE-OPENPGP",
1893
# "+DHE-DSS"))
2203
2204
session = gnutls.ClientSession(self.request)
2205
2206
# priority = ':'.join(("NONE", "+VERS-TLS1.1",
2207
# "+AES-256-CBC", "+SHA1",
2208
# "+COMP-NULL", "+CTYPE-OPENPGP",
2209
# "+DHE-DSS"))
1894
2210
# Use a fallback default, since this MUST be set.
1895
2211
priority = self.server.gnutls_priority
1896
2212
if priority is None:
1897
2213
priority = "NORMAL"
1898
gnutls.library.functions.gnutls_priority_set_direct(
1899
session._c_object, priority, None)
1900
2214
gnutls.priority_set_direct(session._c_object,
2215
priority.encode("utf-8"),
2216
None)
2217
1901
2218
# Start communication using the Mandos protocol
1902
2219
# Get protocol number
1903
2220
line = self.request.makefile().readline()
1908
2225
except (ValueError, IndexError, RuntimeError) as error:
1909
2226
logger.error("Unknown protocol version: %s", error)
1910
2227
return
1911
2228
1912
2229
# Start GnuTLS connection
1913
2230
try:
1914
2231
session.handshake()
1915
except gnutls.errors.GNUTLSError as error:
2232
except gnutls.Error as error:
1916
2233
logger.warning("Handshake failed: %s", error)
1917
2234
# Do not run session.bye() here: the session is not
1918
2235
# established. Just abandon the request.
1919
2236
return
1920
2237
logger.debug("Handshake succeeded")
1921
2238
1922
2239
approval_required = False
1923
2240
try:
1924
2241
try:
1925
2242
fpr = self.fingerprint(
1926
2243
self.peer_certificate(session))
1927
except (TypeError,
1928
gnutls.errors.GNUTLSError) as error:
2244
except (TypeError, gnutls.Error) as error:
1929
2245
logger.warning("Bad certificate: %s", error)
1930
2246
return
1931
2247
logger.debug("Fingerprint: %s", fpr)
1932
2248
1933
2249
try:
1934
2250
client = ProxyClient(child_pipe, fpr,
1935
2251
self.client_address)
1936
2252
except KeyError:
1937
2253
return
1938
2254
1939
2255
if client.approval_delay:
1940
2256
delay = client.approval_delay
1941
2257
client.approvals_pending += 1
1942
2258
approval_required = True
1943
2259
1944
2260
while True:
1945
2261
if not client.enabled:
1946
2262
logger.info("Client %s is disabled",
1949
2265
# Emit D-Bus signal
1950
2266
client.Rejected("Disabled")
1951
2267
return
1952
2268
1953
2269
if client.approved or not client.approval_delay:
1954
#We are approved or approval is disabled
2270
# We are approved or approval is disabled
1955
2271
break
1956
2272
elif client.approved is None:
1957
2273
logger.info("Client %s needs approval",
1968
2284
# Emit D-Bus signal
1969
2285
client.Rejected("Denied")
1970
2286
return
1971
1972
#wait until timeout or approved
2287
2288
# wait until timeout or approved
1973
2289
time = datetime.datetime.now()
1974
2290
client.changedstate.acquire()
1975
2291
client.changedstate.wait(delay.total_seconds())
1988
2304
break
1989
2305
else:
1990
2306
delay -= time2 - time
1991
1992
sent_size = 0
1993
while sent_size < len(client.secret):
1994
try:
1995
sent = session.send(client.secret[sent_size:])
1996
except gnutls.errors.GNUTLSError as error:
1997
logger.warning("gnutls send failed",
1998
exc_info=error)
1999
return
2000
logger.debug("Sent: %d, remaining: %d", sent,
2001
len(client.secret) - (sent_size
2002
+ sent))
2003
sent_size += sent
2004
2307
2308
try:
2309
session.send(client.secret)
2310
except gnutls.Error as error:
2311
logger.warning("gnutls send failed",
2312
exc_info=error)
2313
return
2314
2005
2315
logger.info("Sending secret to %s", client.name)
2006
2316
# bump the timeout using extended_timeout
2007
2317
client.bump_timeout(client.extended_timeout)
2008
2318
if self.server.use_dbus:
2009
2319
# Emit D-Bus signal
2010
2320
client.GotSecret()
2011
2321
2012
2322
finally:
2013
2323
if approval_required:
2014
2324
client.approvals_pending -= 1
2015
2325
try:
2016
2326
session.bye()
2017
except gnutls.errors.GNUTLSError as error:
2327
except gnutls.Error as error:
2018
2328
logger.warning("GnuTLS bye failed",
2019
2329
exc_info=error)
2020
2330
2021
2331
@staticmethod
2022
2332
def peer_certificate(session):
2023
2333
"Return the peer's OpenPGP certificate as a bytestring"
2024
2334
# If not an OpenPGP certificate...
2025
if (gnutls.library.functions.gnutls_certificate_type_get(
2026
session._c_object)
2027
!= gnutls.library.constants.GNUTLS_CRT_OPENPGP):
2028
# ...do the normal thing
2029
return session.peer_certificate
2335
if (gnutls.certificate_type_get(session._c_object)
2336
!= gnutls.CRT_OPENPGP):
2337
# ...return invalid data
2338
return b""
2030
2339
list_size = ctypes.c_uint(1)
2031
cert_list = (gnutls.library.functions
2032
.gnutls_certificate_get_peers
2340
cert_list = (gnutls.certificate_get_peers
2033
2341
(session._c_object, ctypes.byref(list_size)))
2034
2342
if not bool(cert_list) and list_size.value != 0:
2035
raise gnutls.errors.GNUTLSError("error getting peer"
2036
" certificate")
2343
raise gnutls.Error("error getting peer certificate")
2037
2344
if list_size.value == 0:
2038
2345
return None
2039
2346
cert = cert_list[0]
2040
2347
return ctypes.string_at(cert.data, cert.size)
2041
2348
2042
2349
@staticmethod
2043
2350
def fingerprint(openpgp):
2044
2351
"Convert an OpenPGP bytestring to a hexdigit fingerprint"
2045
2352
# New GnuTLS "datum" with the OpenPGP public key
2046
datum = gnutls.library.types.gnutls_datum_t(
2353
datum = gnutls.datum_t(
2047
2354
ctypes.cast(ctypes.c_char_p(openpgp),
2048
2355
ctypes.POINTER(ctypes.c_ubyte)),
2049
2356
ctypes.c_uint(len(openpgp)))
2050
2357
# New empty GnuTLS certificate
2051
crt = gnutls.library.types.gnutls_openpgp_crt_t()
2052
gnutls.library.functions.gnutls_openpgp_crt_init(
2053
ctypes.byref(crt))
2358
crt = gnutls.openpgp_crt_t()
2359
gnutls.openpgp_crt_init(ctypes.byref(crt))
2054
2360
# Import the OpenPGP public key into the certificate
2055
gnutls.library.functions.gnutls_openpgp_crt_import(
2056
crt, ctypes.byref(datum),
2057
gnutls.library.constants.GNUTLS_OPENPGP_FMT_RAW)
2361
gnutls.openpgp_crt_import(crt, ctypes.byref(datum),
2362
gnutls.OPENPGP_FMT_RAW)
2058
2363
# Verify the self signature in the key
2059
2364
crtverify = ctypes.c_uint()
2060
gnutls.library.functions.gnutls_openpgp_crt_verify_self(
2061
crt, 0, ctypes.byref(crtverify))
2365
gnutls.openpgp_crt_verify_self(crt, 0,
2366
ctypes.byref(crtverify))
2062
2367
if crtverify.value != 0:
2063
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2064
raise gnutls.errors.CertificateSecurityError(
2065
"Verify failed")
2368
gnutls.openpgp_crt_deinit(crt)
2369
raise gnutls.CertificateSecurityError("Verify failed")
2066
2370
# New buffer for the fingerprint
2067
2371
buf = ctypes.create_string_buffer(20)
2068
2372
buf_len = ctypes.c_size_t()
2069
2373
# Get the fingerprint from the certificate into the buffer
2070
gnutls.library.functions.gnutls_openpgp_crt_get_fingerprint(
2071
crt, ctypes.byref(buf), ctypes.byref(buf_len))
2374
gnutls.openpgp_crt_get_fingerprint(crt, ctypes.byref(buf),
2375
ctypes.byref(buf_len))
2072
2376
# Deinit the certificate
2073
gnutls.library.functions.gnutls_openpgp_crt_deinit(crt)
2377
gnutls.openpgp_crt_deinit(crt)
2074
2378
# Convert the buffer to a Python bytestring
2075
2379
fpr = ctypes.string_at(buf, buf_len.value)
2076
2380
# Convert the bytestring to hexadecimal notation
2080
2384
2081
2385
class MultiprocessingMixIn(object):
2082
2386
"""Like socketserver.ThreadingMixIn, but with multiprocessing"""
2083
2387
2084
2388
def sub_process_main(self, request, address):
2085
2389
try:
2086
2390
self.finish_request(request, address)
2087
2391
except Exception:
2088
2392
self.handle_error(request, address)
2089
2393
self.close_request(request)
2090
2394
2091
2395
def process_request(self, request, address):
2092
2396
"""Start a new process to process the request."""
2093
proc = multiprocessing.Process(target = self.sub_process_main,
2094
args = (request, address))
2397
proc = multiprocessing.Process(target=self.sub_process_main,
2398
args=(request, address))
2095
2399
proc.start()
2096
2400
return proc
2097
2401
2098
2402
2099
2403
class MultiprocessingMixInWithPipe(MultiprocessingMixIn, object):
2100
2404
""" adds a pipe to the MixIn """
2101
2405
2102
2406
def process_request(self, request, client_address):
2103
2407
"""Overrides and wraps the original process_request().
2104
2408
2105
2409
This function creates a new pipe in self.pipe
2106
2410
"""
2107
2411
parent_pipe, self.child_pipe = multiprocessing.Pipe()
2108
2412
2109
2413
proc = MultiprocessingMixIn.process_request(self, request,
2110
2414
client_address)
2111
2415
self.child_pipe.close()
2112
2416
self.add_pipe(parent_pipe, proc)
2113
2417
2114
2418
def add_pipe(self, parent_pipe, proc):
2115
2419
"""Dummy function; override as necessary"""
2116
2420
raise NotImplementedError()
2119
2423
class IPv6_TCPServer(MultiprocessingMixInWithPipe,
2120
2424
socketserver.TCPServer, object):
2121
2425
"""IPv6-capable TCP server. Accepts 'None' as address and/or port
2122
2426
2123
2427
Attributes:
2124
2428
enabled: Boolean; whether this server is activated yet
2125
2429
interface: None or a network interface name (string)
2126
2430
use_ipv6: Boolean; to use IPv6 or not
2127
2431
"""
2128
2432
2129
2433
def __init__(self, server_address, RequestHandlerClass,
2130
2434
interface=None,
2131
2435
use_ipv6=True,
2141
2445
self.socketfd = socketfd
2142
2446
# Save the original socket.socket() function
2143
2447
self.socket_socket = socket.socket
2448
2144
2449
# To implement --socket, we monkey patch socket.socket.
2145
#
2450
#
2146
2451
# (When socketserver.TCPServer is a new-style class, we
2147
2452
# could make self.socket into a property instead of monkey
2148
2453
# patching socket.socket.)
2149
#
2454
#
2150
2455
# Create a one-time-only replacement for socket.socket()
2151
2456
@functools.wraps(socket.socket)
2152
2457
def socket_wrapper(*args, **kwargs):
2164
2469
# socket_wrapper(), if socketfd was set.
2165
2470
socketserver.TCPServer.__init__(self, server_address,
2166
2471
RequestHandlerClass)
2167
2472
2168
2473
def server_bind(self):
2169
2474
"""This overrides the normal server_bind() function
2170
2475
to bind to an interface if one was specified, and also NOT to
2171
2476
bind to an address or port if they were not specified."""
2477
global SO_BINDTODEVICE
2172
2478
if self.interface is not None:
2173
2479
if SO_BINDTODEVICE is None:
2174
logger.error("SO_BINDTODEVICE does not exist;"
2175
" cannot bind to interface %s",
2176
self.interface)
2177
else:
2178
try:
2179
self.socket.setsockopt(
2180
socket.SOL_SOCKET, SO_BINDTODEVICE,
2181
(self.interface + "\0").encode("utf-8"))
2182
except socket.error as error:
2183
if error.errno == errno.EPERM:
2184
logger.error("No permission to bind to"
2185
" interface %s", self.interface)
2186
elif error.errno == errno.ENOPROTOOPT:
2187
logger.error("SO_BINDTODEVICE not available;"
2188
" cannot bind to interface %s",
2189
self.interface)
2190
elif error.errno == errno.ENODEV:
2191
logger.error("Interface %s does not exist,"
2192
" cannot bind", self.interface)
2193
else:
2194
raise
2480
# Fall back to a hard-coded value which seems to be
2481
# common enough.
2482
logger.warning("SO_BINDTODEVICE not found, trying 25")
2483
SO_BINDTODEVICE = 25
2484
try:
2485
self.socket.setsockopt(
2486
socket.SOL_SOCKET, SO_BINDTODEVICE,
2487
(self.interface + "\0").encode("utf-8"))
2488
except socket.error as error:
2489
if error.errno == errno.EPERM:
2490
logger.error("No permission to bind to"
2491
" interface %s", self.interface)
2492
elif error.errno == errno.ENOPROTOOPT:
2493
logger.error("SO_BINDTODEVICE not available;"
2494
" cannot bind to interface %s",
2495
self.interface)
2496
elif error.errno == errno.ENODEV:
2497
logger.error("Interface %s does not exist,"
2498
" cannot bind", self.interface)
2499
else:
2500
raise
2195
2501
# Only bind(2) the socket if we really need to.
2196
2502
if self.server_address[0] or self.server_address[1]:
2197
2503
if not self.server_address[0]:
2198
2504
if self.address_family == socket.AF_INET6:
2199
any_address = "::" # in6addr_any
2505
any_address = "::" # in6addr_any
2200
2506
else:
2201
any_address = "0.0.0.0" # INADDR_ANY
2507
any_address = "0.0.0.0" # INADDR_ANY
2202
2508
self.server_address = (any_address,
2203
2509
self.server_address[1])
2204
2510
elif not self.server_address[1]:
2214
2520
2215
2521
class MandosServer(IPv6_TCPServer):
2216
2522
"""Mandos server.
2217
2523
2218
2524
Attributes:
2219
2525
clients: set of Client objects
2220
2526
gnutls_priority GnuTLS priority string
2221
2527
use_dbus: Boolean; to emit D-Bus signals or not
2222
2223
Assumes a gobject.MainLoop event loop.
2528
2529
Assumes a GLib.MainLoop event loop.
2224
2530
"""
2225
2531
2226
2532
def __init__(self, server_address, RequestHandlerClass,
2227
2533
interface=None,
2228
2534
use_ipv6=True,
2238
2544
self.gnutls_priority = gnutls_priority
2239
2545
IPv6_TCPServer.__init__(self, server_address,
2240
2546
RequestHandlerClass,
2241
interface = interface,
2242
use_ipv6 = use_ipv6,
2243
socketfd = socketfd)
2244
2547
interface=interface,
2548
use_ipv6=use_ipv6,
2549
socketfd=socketfd)
2550
2245
2551
def server_activate(self):
2246
2552
if self.enabled:
2247
2553
return socketserver.TCPServer.server_activate(self)
2248
2554
2249
2555
def enable(self):
2250
2556
self.enabled = True
2251
2557
2252
2558
def add_pipe(self, parent_pipe, proc):
2253
2559
# Call "handle_ipc" for both data and EOF events
2254
gobject.io_add_watch(
2560
GLib.io_add_watch(
2255
2561
parent_pipe.fileno(),
2256
gobject.IO_IN | gobject.IO_HUP,
2562
GLib.IO_IN | GLib.IO_HUP,
2257
2563
functools.partial(self.handle_ipc,
2258
parent_pipe = parent_pipe,
2259
proc = proc))
2260
2564
parent_pipe=parent_pipe,
2565
proc=proc))
2566
2261
2567
def handle_ipc(self, source, condition,
2262
2568
parent_pipe=None,
2263
proc = None,
2569
proc=None,
2264
2570
client_object=None):
2265
2571
# error, or the other end of multiprocessing.Pipe has closed
2266
if condition & (gobject.IO_ERR | gobject.IO_HUP):
2572
if condition & (GLib.IO_ERR | GLib.IO_HUP):
2267
2573
# Wait for other process to exit
2268
2574
proc.join()
2269
2575
return False
2270
2576
2271
2577
# Read a request from the child
2272
2578
request = parent_pipe.recv()
2273
2579
command = request[0]
2274
2580
2275
2581
if command == 'init':
2276
fpr = request[1]
2582
fpr = request[1].decode("ascii")
2277
2583
address = request[2]
2278
2279
for c in self.clients.itervalues():
2584
2585
for c in self.clients.values():
2280
2586
if c.fingerprint == fpr:
2281
2587
client = c
2282
2588
break
2289
2595
address[0])
2290
2596
parent_pipe.send(False)
2291
2597
return False
2292
2293
gobject.io_add_watch(
2598
2599
GLib.io_add_watch(
2294
2600
parent_pipe.fileno(),
2295
gobject.IO_IN | gobject.IO_HUP,
2601
GLib.IO_IN | GLib.IO_HUP,
2296
2602
functools.partial(self.handle_ipc,
2297
parent_pipe = parent_pipe,
2298
proc = proc,
2299
client_object = client))
2603
parent_pipe=parent_pipe,
2604
proc=proc,
2605
client_object=client))
2300
2606
parent_pipe.send(True)
2301
2607
# remove the old hook in favor of the new above hook on
2302
2608
# same fileno
2305
2611
funcname = request[1]
2306
2612
args = request[2]
2307
2613
kwargs = request[3]
2308
2614
2309
2615
parent_pipe.send(('data', getattr(client_object,
2310
2616
funcname)(*args,
2311
2617
**kwargs)))
2312
2618
2313
2619
if command == 'getattr':
2314
2620
attrname = request[1]
2315
2621
if isinstance(client_object.__getattribute__(attrname),
2318
2624
else:
2319
2625
parent_pipe.send((
2320
2626
'data', client_object.__getattribute__(attrname)))
2321
2627
2322
2628
if command == 'setattr':
2323
2629
attrname = request[1]
2324
2630
value = request[2]
2325
2631
setattr(client_object, attrname, value)
2326
2632
2327
2633
return True
2328
2634
2329
2635
2330
2636
def rfc3339_duration_to_delta(duration):
2331
2637
"""Parse an RFC 3339 "duration" and return a datetime.timedelta
2332
2638
2333
2639
>>> rfc3339_duration_to_delta("P7D")
2334
2640
datetime.timedelta(7)
2335
2641
>>> rfc3339_duration_to_delta("PT60S")
2345
2651
>>> rfc3339_duration_to_delta("P1DT3M20S")
2346
2652
datetime.timedelta(1, 200)
2347
2653
"""
2348
2654
2349
2655
# Parsing an RFC 3339 duration with regular expressions is not
2350
2656
# possible - there would have to be multiple places for the same
2351
2657
# values, like seconds. The current code, while more esoteric, is
2352
2658
# cleaner without depending on a parsing library. If Python had a
2353
2659
# built-in library for parsing we would use it, but we'd like to
2354
2660
# avoid excessive use of external libraries.
2355
2661
2356
2662
# New type for defining tokens, syntax, and semantics all-in-one
2357
2663
Token = collections.namedtuple("Token", (
2358
2664
"regexp", # To match token; if "value" is not None, must have
2391
2697
frozenset((token_year, token_month,
2392
2698
token_day, token_time,
2393
2699
token_week)))
2394
# Define starting values
2395
value = datetime.timedelta() # Value so far
2700
# Define starting values:
2701
# Value so far
2702
value = datetime.timedelta()
2396
2703
found_token = None
2397
followers = frozenset((token_duration, )) # Following valid tokens
2398
s = duration # String left to parse
2704
# Following valid tokens
2705
followers = frozenset((token_duration, ))
2706
# String left to parse
2707
s = duration
2399
2708
# Loop until end token is found
2400
2709
while found_token is not token_end:
2401
2710
# Search for any currently valid tokens
2425
2734
2426
2735
def string_to_delta(interval):
2427
2736
"""Parse a string and return a datetime.timedelta
2428
2737
2429
2738
>>> string_to_delta('7d')
2430
2739
datetime.timedelta(7)
2431
2740
>>> string_to_delta('60s')
2439
2748
>>> string_to_delta('5m 30s')
2440
2749
datetime.timedelta(0, 330)
2441
2750
"""
2442
2751
2443
2752
try:
2444
2753
return rfc3339_duration_to_delta(interval)
2445
2754
except ValueError:
2446
2755
pass
2447
2756
2448
2757
timevalue = datetime.timedelta(0)
2449
2758
for s in interval.split():
2450
2759
try:
2468
2777
return timevalue
2469
2778
2470
2779
2471
def daemon(nochdir = False, noclose = False):
2780
def daemon(nochdir=False, noclose=False):
2472
2781
"""See daemon(3). Standard BSD Unix function.
2473
2782
2474
2783
This should really exist as os.daemon, but it doesn't (yet)."""
2475
2784
if os.fork():
2476
2785
sys.exit()
2494
2803
2495
2804
2496
2805
def main():
2497
2806
2498
2807
##################################################################
2499
2808
# Parsing of options, both command line and config file
2500
2809
2501
2810
parser = argparse.ArgumentParser()
2502
2811
parser.add_argument("-v", "--version", action="version",
2503
version = "%(prog)s {}".format(version),
2812
version="%(prog)s {}".format(version),
2504
2813
help="show version number and exit")
2505
2814
parser.add_argument("-i", "--interface", metavar="IF",
2506
2815
help="Bind to interface IF")
2542
2851
parser.add_argument("--no-zeroconf", action="store_false",
2543
2852
dest="zeroconf", help="Do not use Zeroconf",
2544
2853
default=None)
2545
2854
2546
2855
options = parser.parse_args()
2547
2856
2548
2857
if options.check:
2549
2858
import doctest
2550
2859
fail_count, test_count = doctest.testmod()
2551
2860
sys.exit(os.EX_OK if fail_count == 0 else 1)
2552
2861
2553
2862
# Default values for config file for server-global settings
2554
server_defaults = { "interface": "",
2555
"address": "",
2556
"port": "",
2557
"debug": "False",
2558
"priority":
2559
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2560
":+SIGN-DSA-SHA256",
2561
"servicename": "Mandos",
2562
"use_dbus": "True",
2563
"use_ipv6": "True",
2564
"debuglevel": "",
2565
"restore": "True",
2566
"socket": "",
2567
"statedir": "/var/lib/mandos",
2568
"foreground": "False",
2569
"zeroconf": "True",
2570
}
2571
2863
server_defaults = {"interface": "",
2864
"address": "",
2865
"port": "",
2866
"debug": "False",
2867
"priority":
2868
"SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA"
2869
":+SIGN-DSA-SHA256",
2870
"servicename": "Mandos",
2871
"use_dbus": "True",
2872
"use_ipv6": "True",
2873
"debuglevel": "",
2874
"restore": "True",
2875
"socket": "",
2876
"statedir": "/var/lib/mandos",
2877
"foreground": "False",
2878
"zeroconf": "True",
2879
}
2880
2572
2881
# Parse config file for server-global settings
2573
2882
server_config = configparser.SafeConfigParser(server_defaults)
2574
2883
del server_defaults
2576
2885
# Convert the SafeConfigParser object to a dict
2577
2886
server_settings = server_config.defaults()
2578
2887
# Use the appropriate methods on the non-string config options
2579
for option in ("debug", "use_dbus", "use_ipv6", "foreground"):
2888
for option in ("debug", "use_dbus", "use_ipv6", "restore",
2889
"foreground", "zeroconf"):
2580
2890
server_settings[option] = server_config.getboolean("DEFAULT",
2581
2891
option)
2582
2892
if server_settings["port"]:
2592
2902
server_settings["socket"] = os.dup(server_settings
2593
2903
["socket"])
2594
2904
del server_config
2595
2905
2596
2906
# Override the settings from the config file with command line
2597
2907
# options, if set.
2598
2908
for option in ("interface", "address", "port", "debug",
2616
2926
if server_settings["debug"]:
2617
2927
server_settings["foreground"] = True
2618
2928
# Now we have our good server settings in "server_settings"
2619
2929
2620
2930
##################################################################
2621
2931
2622
2932
if (not server_settings["zeroconf"]
2623
2933
and not (server_settings["port"]
2624
2934
or server_settings["socket"] != "")):
2625
2935
parser.error("Needs port or socket to work without Zeroconf")
2626
2936
2627
2937
# For convenience
2628
2938
debug = server_settings["debug"]
2629
2939
debuglevel = server_settings["debuglevel"]
2633
2943
stored_state_file)
2634
2944
foreground = server_settings["foreground"]
2635
2945
zeroconf = server_settings["zeroconf"]
2636
2946
2637
2947
if debug:
2638
2948
initlogger(debug, logging.DEBUG)
2639
2949
else:
2642
2952
else:
2643
2953
level = getattr(logging, debuglevel.upper())
2644
2954
initlogger(debug, level)
2645
2955
2646
2956
if server_settings["servicename"] != "Mandos":
2647
2957
syslogger.setFormatter(
2648
2958
logging.Formatter('Mandos ({}) [%(process)d]:'
2649
2959
' %(levelname)s: %(message)s'.format(
2650
2960
server_settings["servicename"])))
2651
2961
2652
2962
# Parse config file with clients
2653
2963
client_config = configparser.SafeConfigParser(Client
2654
2964
.client_defaults)
2655
2965
client_config.read(os.path.join(server_settings["configdir"],
2656
2966
"clients.conf"))
2657
2967
2658
2968
global mandos_dbus_service
2659
2969
mandos_dbus_service = None
2660
2970
2661
2971
socketfd = None
2662
2972
if server_settings["socket"] != "":
2663
2973
socketfd = server_settings["socket"]
2679
2989
except IOError as e:
2680
2990
logger.error("Could not open file %r", pidfilename,
2681
2991
exc_info=e)
2682
2683
for name in ("_mandos", "mandos", "nobody"):
2992
2993
for name, group in (("_mandos", "_mandos"),
2994
("mandos", "mandos"),
2995
("nobody", "nogroup")):
2684
2996
try:
2685
2997
uid = pwd.getpwnam(name).pw_uid
2686
gid = pwd.getpwnam(name).pw_gid
2998
gid = pwd.getpwnam(group).pw_gid
2687
2999
break
2688
3000
except KeyError:
2689
3001
continue
2693
3005
try:
2694
3006
os.setgid(gid)
2695
3007
os.setuid(uid)
3008
if debug:
3009
logger.debug("Did setuid/setgid to {}:{}".format(uid,
3010
gid))
2696
3011
except OSError as error:
3012
logger.warning("Failed to setuid/setgid to {}:{}: {}"
3013
.format(uid, gid, os.strerror(error.errno)))
2697
3014
if error.errno != errno.EPERM:
2698
3015
raise
2699
3016
2700
3017
if debug:
2701
3018
# Enable all possible GnuTLS debugging
2702
3019
2703
3020
# "Use a log level over 10 to enable all debugging options."
2704
3021
# - GnuTLS manual
2705
gnutls.library.functions.gnutls_global_set_log_level(11)
2706
2707
@gnutls.library.types.gnutls_log_func
3022
gnutls.global_set_log_level(11)
3023
3024
@gnutls.log_func
2708
3025
def debug_gnutls(level, string):
2709
3026
logger.debug("GnuTLS: %s", string[:-1])
2710
2711
gnutls.library.functions.gnutls_global_set_log_function(
2712
debug_gnutls)
2713
3027
3028
gnutls.global_set_log_function(debug_gnutls)
3029
2714
3030
# Redirect stdin so all checkers get /dev/null
2715
3031
null = os.open(os.devnull, os.O_NOCTTY | os.O_RDWR)
2716
3032
os.dup2(null, sys.stdin.fileno())
2717
3033
if null > 2:
2718
3034
os.close(null)
2719
3035
2720
3036
# Need to fork before connecting to D-Bus
2721
3037
if not foreground:
2722
3038
# Close all input and output, do double fork, etc.
2723
3039
daemon()
2724
2725
# multiprocessing will use threads, so before we use gobject we
2726
# need to inform gobject that threads will be used.
2727
gobject.threads_init()
2728
3040
3041
# multiprocessing will use threads, so before we use GLib we need
3042
# to inform GLib that threads will be used.
3043
GLib.threads_init()
3044
2729
3045
global main_loop
2730
3046
# From the Avahi example code
2731
3047
DBusGMainLoop(set_as_default=True)
2732
main_loop = gobject.MainLoop()
3048
main_loop = GLib.MainLoop()
2733
3049
bus = dbus.SystemBus()
2734
3050
# End of Avahi example code
2735
3051
if use_dbus:
2748
3064
if zeroconf:
2749
3065
protocol = avahi.PROTO_INET6 if use_ipv6 else avahi.PROTO_INET
2750
3066
service = AvahiServiceToSyslog(
2751
name = server_settings["servicename"],
2752
servicetype = "_mandos._tcp",
2753
protocol = protocol,
2754
bus = bus)
3067
name=server_settings["servicename"],
3068
servicetype="_mandos._tcp",
3069
protocol=protocol,
3070
bus=bus)
2755
3071
if server_settings["interface"]:
2756
3072
service.interface = if_nametoindex(
2757
3073
server_settings["interface"].encode("utf-8"))
2758
3074
2759
3075
global multiprocessing_manager
2760
3076
multiprocessing_manager = multiprocessing.Manager()
2761
3077
2762
3078
client_class = Client
2763
3079
if use_dbus:
2764
client_class = functools.partial(ClientDBus, bus = bus)
2765
3080
client_class = functools.partial(ClientDBus, bus=bus)
3081
2766
3082
client_settings = Client.config_parser(client_config)
2767
3083
old_client_settings = {}
2768
3084
clients_data = {}
2769
3085
2770
3086
# This is used to redirect stdout and stderr for checker processes
2771
3087
global wnull
2772
wnull = open(os.devnull, "w") # A writable /dev/null
3088
wnull = open(os.devnull, "w") # A writable /dev/null
2773
3089
# Only used if server is running in foreground but not in debug
2774
3090
# mode
2775
3091
if debug or not foreground:
2776
3092
wnull.close()
2777
3093
2778
3094
# Get client data and settings from last running state.
2779
3095
if server_settings["restore"]:
2780
3096
try:
2781
3097
with open(stored_state_path, "rb") as stored_state:
2782
clients_data, old_client_settings = pickle.load(
2783
stored_state)
3098
if sys.version_info.major == 2:
3099
clients_data, old_client_settings = pickle.load(
3100
stored_state)
3101
else:
3102
bytes_clients_data, bytes_old_client_settings = (
3103
pickle.load(stored_state, encoding="bytes"))
3104
# Fix bytes to strings
3105
# clients_data
3106
# .keys()
3107
clients_data = {(key.decode("utf-8")
3108
if isinstance(key, bytes)
3109
else key): value
3110
for key, value in
3111
bytes_clients_data.items()}
3112
del bytes_clients_data
3113
for key in clients_data:
3114
value = {(k.decode("utf-8")
3115
if isinstance(k, bytes) else k): v
3116
for k, v in
3117
clients_data[key].items()}
3118
clients_data[key] = value
3119
# .client_structure
3120
value["client_structure"] = [
3121
(s.decode("utf-8")
3122
if isinstance(s, bytes)
3123
else s) for s in
3124
value["client_structure"]]
3125
# .name & .host
3126
for k in ("name", "host"):
3127
if isinstance(value[k], bytes):
3128
value[k] = value[k].decode("utf-8")
3129
# old_client_settings
3130
# .keys()
3131
old_client_settings = {
3132
(key.decode("utf-8")
3133
if isinstance(key, bytes)
3134
else key): value
3135
for key, value in
3136
bytes_old_client_settings.items()}
3137
del bytes_old_client_settings
3138
# .host
3139
for value in old_client_settings.values():
3140
if isinstance(value["host"], bytes):
3141
value["host"] = (value["host"]
3142
.decode("utf-8"))
2784
3143
os.remove(stored_state_path)
2785
3144
except IOError as e:
2786
3145
if e.errno == errno.ENOENT:
2794
3153
logger.warning("Could not load persistent state: "
2795
3154
"EOFError:",
2796
3155
exc_info=e)
2797
3156
2798
3157
with PGPEngine() as pgp:
2799
3158
for client_name, client in clients_data.items():
2800
3159
# Skip removed clients
2801
3160
if client_name not in client_settings:
2802
3161
continue
2803
3162
2804
3163
# Decide which value to use after restoring saved state.
2805
3164
# We have three different values: Old config file,
2806
3165
# new config file, and saved state.
2817
3176
client[name] = value
2818
3177
except KeyError:
2819
3178
pass
2820
3179
2821
3180
# Clients who has passed its expire date can still be
2822
3181
# enabled if its last checker was successful. A Client
2823
3182
# whose checker succeeded before we stored its state is
2856
3215
client_name))
2857
3216
client["secret"] = (client_settings[client_name]
2858
3217
["secret"])
2859
3218
2860
3219
# Add/remove clients based on new changes made to config
2861
3220
for client_name in (set(old_client_settings)
2862
3221
- set(client_settings)):
2864
3223
for client_name in (set(client_settings)
2865
3224
- set(old_client_settings)):
2866
3225
clients_data[client_name] = client_settings[client_name]
2867
3226
2868
3227
# Create all client objects
2869
3228
for client_name, client in clients_data.items():
2870
3229
tcp_server.clients[client_name] = client_class(
2871
name = client_name,
2872
settings = client,
2873
server_settings = server_settings)
2874
3230
name=client_name,
3231
settings=client,
3232
server_settings=server_settings)
3233
2875
3234
if not tcp_server.clients:
2876
3235
logger.warning("No clients defined")
2877
3236
2878
3237
if not foreground:
2879
3238
if pidfile is not None:
2880
3239
pid = os.getpid()
2886
3245
pidfilename, pid)
2887
3246
del pidfile
2888
3247
del pidfilename
2889
2890
signal.signal(signal.SIGHUP, lambda signum, frame: sys.exit())
2891
signal.signal(signal.SIGTERM, lambda signum, frame: sys.exit())
2892
3248
3249
for termsig in (signal.SIGHUP, signal.SIGTERM):
3250
GLib.unix_signal_add(GLib.PRIORITY_HIGH, termsig,
3251
lambda: main_loop.quit() and False)
3252
2893
3253
if use_dbus:
2894
3254
2895
3255
@alternate_dbus_interfaces(
2896
{ "se.recompile.Mandos": "se.bsnet.fukt.Mandos" })
3256
{"se.recompile.Mandos": "se.bsnet.fukt.Mandos"})
2897
3257
class MandosDBusService(DBusObjectWithObjectManager):
2898
3258
"""A D-Bus proxy object"""
2899
3259
2900
3260
def __init__(self):
2901
3261
dbus.service.Object.__init__(self, bus, "/")
2902
3262
2903
3263
_interface = "se.recompile.Mandos"
2904
3264
2905
3265
@dbus.service.signal(_interface, signature="o")
2906
3266
def ClientAdded(self, objpath):
2907
3267
"D-Bus signal"
2908
3268
pass
2909
3269
2910
3270
@dbus.service.signal(_interface, signature="ss")
2911
3271
def ClientNotFound(self, fingerprint, address):
2912
3272
"D-Bus signal"
2913
3273
pass
2914
3274
2915
3275
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2916
3276
"true"})
2917
3277
@dbus.service.signal(_interface, signature="os")
2918
3278
def ClientRemoved(self, objpath, name):
2919
3279
"D-Bus signal"
2920
3280
pass
2921
3281
2922
3282
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2923
3283
"true"})
2924
3284
@dbus.service.method(_interface, out_signature="ao")
2925
3285
def GetAllClients(self):
2926
3286
"D-Bus method"
2927
3287
return dbus.Array(c.dbus_object_path for c in
2928
tcp_server.clients.itervalues())
2929
3288
tcp_server.clients.values())
3289
2930
3290
@dbus_annotations({"org.freedesktop.DBus.Deprecated":
2931
3291
"true"})
2932
3292
@dbus.service.method(_interface,
2934
3294
def GetAllClientsWithProperties(self):
2935
3295
"D-Bus method"
2936
3296
return dbus.Dictionary(
2937
{ c.dbus_object_path: c.GetAll(
3297
{c.dbus_object_path: c.GetAll(
2938
3298
"se.recompile.Mandos.Client")
2939
for c in tcp_server.clients.itervalues() },
3299
for c in tcp_server.clients.values()},
2940
3300
signature="oa{sv}")
2941
3301
2942
3302
@dbus.service.method(_interface, in_signature="o")
2943
3303
def RemoveClient(self, object_path):
2944
3304
"D-Bus method"
2945
for c in tcp_server.clients.itervalues():
3305
for c in tcp_server.clients.values():
2946
3306
if c.dbus_object_path == object_path:
2947
3307
del tcp_server.clients[c.name]
2948
3308
c.remove_from_connection()
2952
3312
self.client_removed_signal(c)
2953
3313
return
2954
3314
raise KeyError(object_path)
2955
3315
2956
3316
del _interface
2957
3317
2958
3318
@dbus.service.method(dbus.OBJECT_MANAGER_IFACE,
2959
out_signature = "a{oa{sa{sv}}}")
3319
out_signature="a{oa{sa{sv}}}")
2960
3320
def GetManagedObjects(self):
2961
3321
"""D-Bus method"""
2962
3322
return dbus.Dictionary(
2963
{ client.dbus_object_path:
2964
dbus.Dictionary(
2965
{ interface: client.GetAll(interface)
2966
for interface in
2967
client._get_all_interface_names()})
2968
for client in tcp_server.clients.values()})
2969
3323
{client.dbus_object_path:
3324
dbus.Dictionary(
3325
{interface: client.GetAll(interface)
3326
for interface in
3327
client._get_all_interface_names()})
3328
for client in tcp_server.clients.values()})
3329
2970
3330
def client_added_signal(self, client):
2971
3331
"""Send the new standard signal and the old signal"""
2972
3332
if use_dbus:
2974
3334
self.InterfacesAdded(
2975
3335
client.dbus_object_path,
2976
3336
dbus.Dictionary(
2977
{ interface: client.GetAll(interface)
2978
for interface in
2979
client._get_all_interface_names()}))
3337
{interface: client.GetAll(interface)
3338
for interface in
3339
client._get_all_interface_names()}))
2980
3340
# Old signal
2981
3341
self.ClientAdded(client.dbus_object_path)
2982
3342
2983
3343
def client_removed_signal(self, client):
2984
3344
"""Send the new standard signal and the old signal"""
2985
3345
if use_dbus:
2990
3350
# Old signal
2991
3351
self.ClientRemoved(client.dbus_object_path,
2992
3352
client.name)
2993
3353
2994
3354
mandos_dbus_service = MandosDBusService()
2995
3355
3356
# Save modules to variables to exempt the modules from being
3357
# unloaded before the function registered with atexit() is run.
3358
mp = multiprocessing
3359
wn = wnull
3360
2996
3361
def cleanup():
2997
3362
"Cleanup function; run on exit"
2998
3363
if zeroconf:
2999
3364
service.cleanup()
3000
3001
multiprocessing.active_children()
3002
wnull.close()
3365
3366
mp.active_children()
3367
wn.close()
3003
3368
if not (tcp_server.clients or client_settings):
3004
3369
return
3005
3370
3006
3371
# Store client before exiting. Secrets are encrypted with key
3007
3372
# based on what config file has. If config file is
3008
3373
# removed/edited, old secret will thus be unrecovable.
3009
3374
clients = {}
3010
3375
with PGPEngine() as pgp:
3011
for client in tcp_server.clients.itervalues():
3376
for client in tcp_server.clients.values():
3012
3377
key = client_settings[client.name]["secret"]
3013
3378
client.encrypted_secret = pgp.encrypt(client.secret,
3014
3379
key)
3015
3380
client_dict = {}
3016
3381
3017
3382
# A list of attributes that can not be pickled
3018
3383
# + secret.
3019
exclude = { "bus", "changedstate", "secret",
3020
"checker", "server_settings" }
3384
exclude = {"bus", "changedstate", "secret",
3385
"checker", "server_settings"}
3021
3386
for name, typ in inspect.getmembers(dbus.service
3022
3387
.Object):
3023
3388
exclude.add(name)
3024
3389
3025
3390
client_dict["encrypted_secret"] = (client
3026
3391
.encrypted_secret)
3027
3392
for attr in client.client_structure:
3028
3393
if attr not in exclude:
3029
3394
client_dict[attr] = getattr(client, attr)
3030
3395
3031
3396
clients[client.name] = client_dict
3032
3397
del client_settings[client.name]["secret"]
3033
3398
3034
3399
try:
3035
3400
with tempfile.NamedTemporaryFile(
3036
3401
mode='wb',
3038
3403
prefix='clients-',
3039
3404
dir=os.path.dirname(stored_state_path),
3040
3405
delete=False) as stored_state:
3041
pickle.dump((clients, client_settings), stored_state)
3406
pickle.dump((clients, client_settings), stored_state,
3407
protocol=2)
3042
3408
tempname = stored_state.name
3043
3409
os.rename(tempname, stored_state_path)
3044
3410
except (IOError, OSError) as e:
3054
3420
logger.warning("Could not save persistent state:",
3055
3421
exc_info=e)
3056
3422
raise
3057
3423
3058
3424
# Delete all clients, and settings from config
3059
3425
while tcp_server.clients:
3060
3426
name, client = tcp_server.clients.popitem()
3066
3432
if use_dbus:
3067
3433
mandos_dbus_service.client_removed_signal(client)
3068
3434
client_settings.clear()
3069
3435
3070
3436
atexit.register(cleanup)
3071
3072
for client in tcp_server.clients.itervalues():
3437
3438
for client in tcp_server.clients.values():
3073
3439
if use_dbus:
3074
3440
# Emit D-Bus signal for adding
3075
3441
mandos_dbus_service.client_added_signal(client)
3076
3442
# Need to initiate checking of clients
3077
3443
if client.enabled:
3078
3444
client.init_checker()
3079
3445
3080
3446
tcp_server.enable()
3081
3447
tcp_server.server_activate()
3082
3448
3083
3449
# Find out what port we got
3084
3450
if zeroconf:
3085
3451
service.port = tcp_server.socket.getsockname()[1]
3090
3456
else: # IPv4
3091
3457
logger.info("Now listening on address %r, port %d",
3092
3458
*tcp_server.socket.getsockname())
3093
3094
#service.interface = tcp_server.socket.getsockname()[3]
3095
3459
3460
# service.interface = tcp_server.socket.getsockname()[3]
3461
3096
3462
try:
3097
3463
if zeroconf:
3098
3464
# From the Avahi example code
3103
3469
cleanup()
3104
3470
sys.exit(1)
3105
3471
# End of Avahi example code
3106
3107
gobject.io_add_watch(tcp_server.fileno(), gobject.IO_IN,
3108
lambda *args, **kwargs:
3109
(tcp_server.handle_request
3110
(*args[2:], **kwargs) or True))
3111
3472
3473
GLib.io_add_watch(tcp_server.fileno(), GLib.IO_IN,
3474
lambda *args, **kwargs:
3475
(tcp_server.handle_request
3476
(*args[2:], **kwargs) or True))
3477
3112
3478
logger.debug("Starting main loop")
3113
3479
main_loop.run()
3114
3480
except AvahiError as error:
Loggerhead is a web-based interface for Breezy
Version: 2.0.2.dev0