=== modified file 'TODO' --- TODO 2010-04-14 06:36:36 +0000 +++ TODO 2010-06-19 00:37:04 +0000 @@ -1,5 +1,7 @@ -*- org -*- +* _attribute_((nonnull)) + * mandos-client ** TODO [#B] use scandir(3) instead of readdir(3) ** TODO [#B] Prefix all debug output with "Mandos plugin " + program_invocation_short_name @@ -38,6 +40,8 @@ ** TODO [#C] use same file name rules as run-parts(8) ** kernel command line option for debug info ** TODO [#B] use error() instead of perror() +** TODO [$B] Use openat() and readdir64() + http://udrepper.livejournal.com/19395.html * mandos (server) ** TODO [#B] Log level :BUGS: @@ -76,6 +80,9 @@ *** NeedsPassword(50) - Timeout, default disapprove + SetPass(u"gazonk", True) -> Approval, persistent + Approval(False) -> Close client connection immediately +** TODO [#C] python-parsedatetime +** TODO [#C] systemd/launchd + http://0pointer.de/blog/projects/systemd.html * mandos.xml ** [[file:mandos.xml::XXX][Document D-Bus interface]] @@ -106,6 +113,8 @@ For testing decryption before rebooting. * Makefile +** TODO Add "--Xlinker --as-needed" + http://udrepper.livejournal.com/19395.html ** TODO [#C] Implement DEB_BUILD_OPTIONS http://www.debian.org/doc/debian-policy/ch-source.html#s-debianrules-options === modified file 'mandos' --- mandos 2010-04-14 06:36:36 +0000 +++ mandos 2010-06-19 00:37:04 +0000 @@ -60,6 +60,7 @@ import fcntl import functools import cPickle as pickle +import select import dbus import dbus.service @@ -1006,15 +1007,6 @@ gnutls.connection .X509Credentials())) - line = self.request.makefile().readline() - logger.debug(u"Protocol version: %r", line) - try: - if int(line.strip().split()[0]) > 1: - raise RuntimeError - except (ValueError, IndexError, RuntimeError), error: - logger.error(u"Unknown protocol version: %s", error) - return - # Note: gnutls.connection.X509Credentials is really a # generic GnuTLS certificate credentials object so long as # no X.509 keys are added to it. Therefore, we can use it @@ -1032,6 +1024,18 @@ .gnutls_priority_set_direct(session._c_object, priority, None)) + # Start communication using the Mandos protocol + # Get protocol number + line = self.request.makefile().readline() + logger.debug(u"Protocol version: %r", line) + try: + if int(line.strip().split()[0]) > 1: + raise RuntimeError + except (ValueError, IndexError, RuntimeError), error: + logger.error(u"Unknown protocol version: %s", error) + return + + # Start GnuTLS connection try: session.handshake() except gnutls.errors.GNUTLSError, error: @@ -1057,17 +1061,31 @@ ipc.write(u"NOTFOUND %s %s\n" % (fpr, unicode(self.client_address))) return + + class ClientProxy(object): + """Client proxy object. Not for calling methods.""" + def __init__(self, client): + self.client = client + def __getattr__(self, name): + if name.startswith("ipc_"): + def tempfunc(): + ipc.write("%s %s\n" % (name[4:].upper(), + self.client.name)) + return tempfunc + if not hasattr(self.client, name): + raise AttributeError + ipc.write(u"GETATTR %s %s\n" + % (name, self.client.fingerprint)) + return pickle.load(ipc_return) + clientproxy = ClientProxy(client) # Have to check if client.enabled, since it is # possible that the client was disabled since the # GnuTLS session was established. - ipc.write(u"GETATTR enabled %s\n" % fpr) - enabled = pickle.load(ipc_return) - if not enabled: - ipc.write(u"DISABLED %s\n" % client.name) + if not clientproxy.enabled: + clientproxy.ipc_disabled() return - # Send "NEED_APPROVAL" here and hang waiting - # for response? Leave timeout to parent process? - ipc.write(u"SENDING %s\n" % client.name) + + clientproxy.ipc_sending() sent_size = 0 while sent_size < len(client.secret): sent = session.send(client.secret[sent_size:])