def _get_storage_paths() -> List[str]:
if util.is_windows_os():
storage_paths = WINDOWS_STORAGE_PATHS
else:
storage_paths = LINUX_STORAGE_PATHS
return storage_paths
def _parse_user(user):
if util.is_windows_os():
raise Exception('This function is not supported on windows')
row = None
try:
try:
# attempt to treat the 'user' option as a uid
uid = int(user)
except ValueError:
# if that failed, look up the username and get the associated uid
row = pwd.getpwnam(user)
else:
row = pwd.getpwuid(uid)
except KeyError:
print("Warning: user \'%s\' does not exist - "
"duoauthproxy will not drop privileges" % user, file=sys.stderr)
if row:
return (row.pw_uid, row.pw_gid)
return (None, None)
def restrict_permissions(path: str) -> None:
"""
Restricts the permissions on a file to something reasonably secure on both linux
and windows
args:
path (str): Path to file to secure. Does not work on directories
"""
if util.is_windows_os():
import win32api
import win32con
if os.path.exists(path):
existing_attributes = win32api.GetFileAttributes(path)
win32api.SetFileAttributes(
path, existing_attributes | win32con.FILE_ATTRIBUTE_HIDDEN)
else:
if os.path.isdir(path):
os.chmod(path, 0o700)
elif os.path.isfile(path):
os.chmod(path, 0o600)
def check_valid_bind_dn_for_auth_type(config, toolbox):
"""
Checks that bind_dn has been specified if it's required for the specified
auth_type.
Args:
config (ConfigDict): The config object to check
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
list of BaseResult
"""
problems = []
try:
if util.is_windows_os():
auth_type = config.get_enum(
"auth_type",
const.AD_AUTH_TYPES_WIN,
const.AD_AUTH_TYPE_NTLM_V2,
str.lower,
)
else:
auth_type = config.get_enum(
"auth_type",
const.AD_AUTH_TYPES_NIX,
const.AD_AUTH_TYPE_NTLM_V2,
str.lower,
)
has_bind_dn = toolbox.test_config_has_value(config, "bind_dn")
if auth_type == const.AD_AUTH_TYPE_PLAIN and not has_bind_dn:
problems.append(
UnmetDependency(message="bind_dn is required for "
"auth_type %s" % auth_type))
except ConfigError:
problems.append(
SkippedTest(test=check_valid_bind_dn_for_auth_type.__name__,
key="auth_type"))
return problems
def _verify_ldap_config_args(self, bind_dn: str, bind_pw: str,
auth_type: str, transport_type: str) -> None:
if util.is_windows_os():
if auth_type not in const.AD_AUTH_TYPES_WIN:
raise drpc_exceptions.CallBadArgError(["auth_type"])
else:
if auth_type not in const.AD_AUTH_TYPES_NIX:
raise drpc_exceptions.CallBadArgError(["auth_type"])
if transport_type not in const.AD_TRANSPORTS:
raise drpc_exceptions.CallBadArgError(["transport_type"])
if auth_type != const.AD_AUTH_TYPE_SSPI and (bind_dn == ""
or bind_pw == ""):
e = drpc_exceptions.CallError(
ERR_LDAP_CONFIGURATION_FAILED,
{
"authproxy_configuration_error":
"Missing {0} or {1}".format(CONFIG_BIND_USER,
CONFIG_BIND_PASSWORD)
},
)
log.error("{msg}. Error: {error}",
msg=ERR_LDAP_CONFIGURATION_FAILED,
error=e)
raise e
from twisted.logger import (
FileLogObserver,
FilteringLogObserver,
LegacyLogObserverWrapper,
LogLevel,
LogLevelFilterPredicate,
PredicateResult,
formatEvent,
jsonFileLogObserver,
textFileLogObserver,
)
from twisted.python.logfile import LogFile
from duoauthproxy.lib import config_error, log, util
if not util.is_windows_os():
# This module is not supported on Windows
import grp
import pwd
try:
from twisted.python import syslog
import syslog as pySyslog
except ImportError:
syslog = None
def get_observers(main_config, twistd_user, log_group):
log_debug = main_config.get_bool("debug", False)
log_to_file = main_config.get_bool("log_file", False)
log_stdout = main_config.get_bool("log_stdout", False)
def check_config_values(config, toolbox):
"""
Validates the values for provided config in the [ad_client] section
Args:
config (ConfigDict): The config object to check the optional config for
toolbox (ConfigTestToolbox): Toolbox used to execute the tests
Returns:
list of BaseResult
"""
problems = []
config_test_resolver = base.get_basic_config_resolver(toolbox)
config_dict = {
"service_account_username":
toolbox.test_is_string,
"service_account_password":
toolbox.test_is_string,
"service_account_password_protected":
toolbox.test_is_string,
"search_dn":
toolbox.test_dn,
"security_group_dn":
toolbox.test_dn,
"ldap_filter":
toolbox.test_ldap_filter,
"timeout":
toolbox.test_is_int,
"ssl_ca_certs_file":
toolbox.test_file_readable,
"ssl_verify_hostname":
toolbox.test_is_bool,
"bind_dn":
toolbox.test_dn,
"ntlm_domain":
toolbox.test_is_string,
"ntlm_workstation":
toolbox.test_is_string,
"port":
toolbox.test_valid_port,
"transport":
functools.partial(toolbox.test_valid_enum,
enum=const.AD_TRANSPORTS,
transform=str.lower),
"username_attribute":
toolbox.test_is_string,
"at_attribute":
toolbox.test_is_string,
}
if util.is_windows_os():
config_dict["auth_type"] = functools.partial(
toolbox.test_valid_enum,
enum=const.AD_AUTH_TYPES_WIN,
transform=str.lower)
config_test_resolver.update(config_dict)
else:
config_dict["auth_type"] = functools.partial(
toolbox.test_valid_enum,
enum=const.AD_AUTH_TYPES_NIX,
transform=str.lower)
config_test_resolver.update(config_dict)
dynamic_test_resolver = {
"host": toolbox.test_is_string,
}
base.add_dynamic_keys_to_test_resolver(config, config_test_resolver,
dynamic_test_resolver)
problems += base.run_config_value_checks(config, config_test_resolver)
problems += base.check_for_unexpected_keys(config, toolbox,
config_test_resolver)
possible_protected_keys = ["service_account_password_protected"]
problems += base.check_protected_usage(config, toolbox,
possible_protected_keys)
return problems