def initDB(backend=None,
host=None,
port=None,
username=None,
password=None,
database=None,
sslmode=None,
sslrootcert=None):
"""
Initialize the database.
Either we get backend and all parameter which means the caller
knows what they are doing, or we populate everything from the
config files.
"""
if backend is None:
if CFG is None or not CFG.is_initialized():
initCFG('server')
backend = CFG.DB_BACKEND
host = CFG.DB_HOST
port = CFG.DB_PORT
database = CFG.DB_NAME
username = CFG.DB_USER
password = CFG.DB_PASSWORD
sslmode = None
sslrootcert = None
if CFG.DB_SSL_ENABLED:
sslmode = 'verify-full'
sslrootcert = CFG.DB_SSLROOTCERT
if backend not in SUPPORTED_BACKENDS:
raise rhnException("Unsupported database backend", backend)
if port:
port = int(port)
# Hide the password
add_to_seclist(password)
try:
__init__DB(backend, host, port, username, password, database, sslmode,
sslrootcert)
__init__DB2(backend, host, port, username, password, database, sslmode,
sslrootcert)
# except (rhnException, SQLError):
# raise # pass on, we know those ones
# except (KeyboardInterrupt, SystemExit):
# raise
except SQLConnectError, e:
try:
global __DB
global __DB2
del __DB
del __DB2
except NameError:
pass
raise e
def initDB(backend=None, host=None, port=None, username=None,
password=None, database=None, sslmode=None, sslrootcert=None, initsecond=False):
"""
Initialize the database.
Either we get backend and all parameter which means the caller
knows what they are doing, or we populate everything from the
config files.
initsecond: If set to True it initialize a second DB connection.
By default only one DB connection is needed.
"""
if backend is None:
if CFG is None or not CFG.is_initialized():
initCFG('server')
backend = CFG.DB_BACKEND
host = CFG.DB_HOST
port = CFG.DB_PORT
database = CFG.DB_NAME
username = CFG.DB_USER
password = CFG.DB_PASSWORD
sslmode = None
sslrootcert = None
if CFG.DB_SSL_ENABLED:
sslmode = 'verify-full'
sslrootcert = CFG.DB_SSLROOTCERT
if backend not in SUPPORTED_BACKENDS:
raise rhnException("Unsupported database backend", backend)
if port:
port = int(port)
# Hide the password
add_to_seclist(password)
try:
if initsecond == False:
__init__DB(backend, host, port, username, password, database, sslmode, sslrootcert)
else:
__init__DB2(backend, host, port, username, password, database, sslmode, sslrootcert)
# except (rhnException, SQLError):
# raise # pass on, we know those ones
# except (KeyboardInterrupt, SystemExit):
# raise
except SQLConnectError:
e = sys.exc_info()[1]
try:
closeDB()
except NameError:
pass
raise_with_tb(e, sys.exc_info()[2])
except:
raise
#e_type, e_value = sys.exc_info()[:2]
# raise rhnException("Could not initialize Oracle database connection",
# str(e_type), str(e_value))
return 0
def initDB(backend=None, host=None, port=None, username=None,
password=None, database=None, sslmode=None, sslrootcert=None, initsecond=False):
"""
Initialize the database.
Either we get backend and all parameter which means the caller
knows what they are doing, or we populate everything from the
config files.
initsecond: If set to True it initialize a second DB connection.
By default only one DB connection is needed.
"""
if backend is None:
if CFG is None or not CFG.is_initialized():
initCFG('server')
backend = CFG.DB_BACKEND
host = CFG.DB_HOST
port = CFG.DB_PORT
database = CFG.DB_NAME
username = CFG.DB_USER
password = CFG.DB_PASSWORD
sslmode = None
sslrootcert = None
if CFG.DB_SSL_ENABLED:
sslmode = 'verify-full'
sslrootcert = CFG.DB_SSLROOTCERT
if backend not in SUPPORTED_BACKENDS:
raise rhnException("Unsupported database backend", backend)
if port:
port = int(port)
# Hide the password
add_to_seclist(password)
try:
if initsecond == False:
__init__DB(backend, host, port, username, password, database, sslmode, sslrootcert)
else:
__init__DB2(backend, host, port, username, password, database, sslmode, sslrootcert)
# except (rhnException, SQLError):
# raise # pass on, we know those ones
# except (KeyboardInterrupt, SystemExit):
# raise
except SQLConnectError:
e = sys.exc_info()[1]
try:
closeDB()
except NameError:
pass
raise e
except:
raise
#e_type, e_value = sys.exc_info()[:2]
# raise rhnException("Could not initialize Oracle database connection",
# str(e_type), str(e_value))
return 0
def new_system(self, data):
"""
This function expects at the INPUT a dictionary that has at least
the following members: username, password, os_release, email
If the username does not exist, it is created. If the username
exists, then password is checked for a match.
If all is well, we send back a server certificate.
--
Hash
--
Struct
Starting with RHEL 5, the client will use activate_registration_number,
activate_hardware_info, new_system_user_pass, and/or
new_system_activation_key instead of this.
In hosted, RHEL 4 and earlier will also call
activate_registration_number
"""
if data.has_key("password"):
add_to_seclist(data["password"])
# Validate we got the minimum necessary input.
self.validate_system_input(data)
# Authorize username and password, if used.
# Store the user object in user.
user = None
if not data.has_key('token'):
user = self.validate_system_user(data["username"],
data["password"])
release_version = data['os_release']
profile_name = data['profile_name']
architecture = data['architecture']
# Create the system and get back the rhnServer object.
#
# bretm 02/19/2007 -- the following things get thrown underneath,
# but we issue the faults in create_system for uniformity:
#
# rhnChannel.SubscriptionCountExceeded
# rhnChannel.BaseChannelDeniedError
# rhnChannel.NoBaseChannelError
# rhnSystemEntitlementException
# |
# +--rhnNoSystemEntitlementsException
server_data = self.create_system(user, profile_name,
release_version,
architecture, data)
newserv = server_data['server']
system_certificate = newserv.system_id()
# Return the server certificate file down to the client.
return system_certificate
def new_system(self, data):
"""
This function expects at the INPUT a dictionary that has at least
the following members: username, password, os_release, email
If the username does not exist, it is created. If the username
exists, then password is checked for a match.
If all is well, we send back a server certificate.
--
Hash
--
Struct
Starting with RHEL 5, the client will use activate_registration_number,
activate_hardware_info, new_system_user_pass, and/or
new_system_activation_key instead of this.
In hosted, RHEL 4 and earlier will also call
activate_registration_number
"""
if data.has_key("password"):
add_to_seclist(data["password"])
# Validate we got the minimum necessary input.
self.validate_system_input(data)
# Authorize username and password, if used.
# Store the user object in user.
user = None
if not data.has_key('token'):
user = self.validate_system_user(data["username"],
data["password"])
release_version = data['os_release']
profile_name = data['profile_name']
architecture = data['architecture']
# Create the system and get back the rhnServer object.
#
# bretm 02/19/2007 -- the following things get thrown underneath,
# but we issue the faults in create_system for uniformity:
#
# rhnChannel.SubscriptionCountExceeded
# rhnChannel.BaseChannelDeniedError
# rhnChannel.NoBaseChannelError
# rhnSystemEntitlementException
# |
# +--rhnNoSystemEntitlementsException
server_data = self.create_system(user, profile_name,
release_version,
architecture, data)
newserv = server_data['server']
system_certificate = newserv.system_id()
# Return the server certificate file down to the client.
return system_certificate
def auth(self, login, password):
add_to_seclist(password)
try:
self.groups, self.org_id, self.user_id = getUserGroups(login, password)
except rhnFault, e:
if e.code == 2:
# invalid login/password; set timeout to baffle
# brute force password guessing attacks (BZ 672163)
time.sleep(2)
raise
def unsubscribeChannels(self, system_id, channelNames, username, passwd):
""" Clients v2+ """
add_to_seclist(passwd)
log_debug(3)
# Authenticate the system certificate
self.auth_system('unsubscribeChannel', system_id)
# log the entry
log_debug(1, self.server_id, channelNames)
for channelName in channelNames:
rhnChannel.unsubscribe_channel(self.server_id, channelName,
username, passwd)
return 0
def unsubscribeChannels(self, system_id, channelNames, username, passwd):
""" Clients v2+ """
add_to_seclist(passwd)
log_debug(3)
# Authenticate the system certificate
self.auth_system('unsubscribeChannel', system_id)
# log the entry
log_debug(1, self.server_id, channelNames)
for channelName in channelNames:
rhnChannel.unsubscribe_channel(self.server_id, channelName,
username, passwd)
return 0
def auth(self, login, password):
add_to_seclist(password)
try:
self.groups, self.org_id, self.user_id = getUserGroups(login, password)
except rhnFault:
e = sys.exc_info()[1]
if e.code == 2:
# invalid login/password; set timeout to baffle
# brute force password guessing attacks (BZ 672163)
time.sleep(2)
raise
log_debug(4, "Groups: %s; org_id: %s; user_id: %s" % (
self.groups, self.org_id, self.user_id))
def initDB(backend=None, host=None, port=None, username=None,
password=None, database=None, sslmode=None, sslrootcert=None):
"""
Initialize the database.
Either we get backend and all parameter which means the caller
knows what they are doing, or we populate everything from the
config files.
"""
if backend is None:
if CFG is None or not CFG.is_initialized():
initCFG('server')
backend = CFG.DB_BACKEND
host = CFG.DB_HOST
port = CFG.DB_PORT
database = CFG.DB_NAME
username = CFG.DB_USER
password = CFG.DB_PASSWORD
sslmode = None
sslrootcert = None
if CFG.DB_SSL_ENABLED:
sslmode = 'verify-full'
sslrootcert = CFG.DB_SSLROOTCERT
if backend not in SUPPORTED_BACKENDS:
raise rhnException("Unsupported database backend", backend)
if port:
port = int(port)
# Hide the password
add_to_seclist(password)
try:
__init__DB(backend, host, port, username, password, database, sslmode, sslrootcert)
__init__DB2(backend, host, port, username, password, database, sslmode, sslrootcert)
# except (rhnException, SQLError):
# raise # pass on, we know those ones
# except (KeyboardInterrupt, SystemExit):
# raise
except SQLConnectError, e:
try:
global __DB
global __DB2
del __DB
del __DB2
except NameError:
pass
raise e
def subscribeChannels(self, system_id, channelNames, username, passwd):
""" Clients v2+ """
add_to_seclist(passwd)
log_debug(5, system_id, channelNames, username, passwd)
# Authenticate the system certificate
self.auth_system('subscribeChannel', system_id)
# log the entry
log_debug(1, self.server_id, channelNames)
server_lib.snapshot_server(self.server_id, 'Base Channel Updated')
for channelName in channelNames:
if NONSUBSCRIBABLE_CHANNELS.search(channelName):
raise rhnFault(73, explain=False)
else:
rhnChannel.subscribe_channel(self.server_id, channelName,
username, passwd)
return 0
def subscribeChannels(self, system_id, channelNames, username, passwd):
""" Clients v2+ """
add_to_seclist(passwd)
log_debug(5, system_id, channelNames, username, passwd)
# Authenticate the system certificate
self.auth_system('subscribeChannel', system_id)
# log the entry
log_debug(1, self.server_id, channelNames)
server_lib.snapshot_server(self.server_id, 'Base Channel Updated')
for channelName in channelNames:
if NONSUBSCRIBABLE_CHANNELS.search(channelName):
raise rhnFault(73, explain=False)
else:
rhnChannel.subscribe_channel(self.server_id, channelName,
username, passwd)
return 0
def getUserGroups(login, password):
# Authenticates a user and returns the list of groups it belongs
# to, and the org id
add_to_seclist(password)
log_debug(4, login)
user = rhnUser.search(login)
if not user:
log_debug("rhnUser.search failed")
raise rhnFault(2)
# Check the user's password
if not user.check_password(password):
log_debug("user.check_password failed")
raise rhnFault(2)
return getUserGroupsFromUserInstance(user)
def reserve_user(self, username, password):
"""
Get an username and a password and create a record for this user.
Eventually mark it as such.
Additionaly this method is used to verify login and password in early
stage of rhn_register.
Returns true value if user is reserved, otherwise fault is raised.
"""
add_to_seclist(password)
log_debug(1, username)
# check user login/password and if not CFG.disallow_user_creation
# then reserver the user
ret = rhnUser.reserve_user(username, password)
log_debug(3, "rhnUser.reserve_user returned: " + str(ret))
if ret < 0:
raise rhnFault(3)
return ret
def reserve_user(self, username, password):
"""
Get an username and a password and create a record for this user.
Eventually mark it as such.
Additionaly this method is used to verify login and password in early
stage of rhn_register.
Returns true value if user is reserved, otherwise fault is raised.
"""
add_to_seclist(password)
log_debug(1, username)
# check user login/password and if not CFG.disallow_user_creation
# then reserver the user
ret = rhnUser.reserve_user(username, password)
log_debug(3, "rhnUser.reserve_user returned: " + str(ret))
if ret < 0:
raise rhnFault(3)
return ret
def getUserGroups(login, password):
# Authenticates a user and returns the list of groups it belongs
# to, and the org id
add_to_seclist(password)
log_debug(4, login)
user = rhnUser.search(login)
if not user:
log_debug("rhnUser.search failed")
raise rhnFault(2)
# Check the user's password
if not user.check_password(password):
log_debug("user.check_password failed")
raise rhnFault(2)
if rhnUser.is_user_disabled(username):
msg = _("""
%s Account has been deactivated on this server.
Please contact your Org administrator for more help.""")
raise rhnFault(1, msg % username, explain=0)
return getUserGroupsFromUserInstance(user)
def getUserGroups(login, password):
# Authenticates a user and returns the list of groups it belongs
# to, and the org id
add_to_seclist(password)
log_debug(4, login)
user = rhnUser.search(login)
if not user:
log_debug("rhnUser.search failed")
raise rhnFault(2)
# Check the user's password
if not user.check_password(password):
log_debug("user.check_password failed")
raise rhnFault(2)
if rhnUser.is_user_disabled(username):
msg = _("""
%s Account has been deactivated on this server.
Please contact your Org administrator for more help.""")
raise rhnFault(1, msg % username, explain=0)
return getUserGroupsFromUserInstance(user)
def new_system_user_pass(self, profile_name, os_release_name,
version, arch, username,
password, other):
""" Registers a new system to an org specified by a username, password, and
optionally an org id.
New for RHEL 5.
All args are strings except other.
other is a dict with:
* org_id - optional. Must be a string that contains the number. If it's
not given, the default org is used.
* reg_num - optional. It should be an EN. It will not be activated. It's
used for automatic subscription to child channels and for deciding which
service level to entitle the machine to (managment, provisioning, etc).
If not given, the machine will only be registered to a base channel and
entitled to the highest level possible.
If a profile is created it will return a dict with:
* system_id - the same xml as was previously returned
* channels - a list of the channels (as strings) the system was
subscribed to
* failed_channels - a list of channels (as strings) that
the system should have been subscribed to but couldn't be because they
don't have the necessary entitlements available. Can contain all the
channels including the base channel.
* system_slots - a list of the system slots used (as strings).
* failed_system_slots - a list of system slots (as strings) that they
should have used but couldn't because there weren't available
entitlements
* universal_activation_key - a list of universal default activation keys
(as strings) that were used while registering.
Allowable slots are 'enterprise_entitled' (management), 'sw_mgr_entitled'
(updates), 'monitoring_entitled' (monitoring add on to management), and
provisioning_entitled (provisioning add on to management).
The call will try to use the highest system slot available. An entry will
be added to failed_system_slots for each one that is tried and fails and
system_slots will contain the one that succeeded if any.
Eg: Calling this on hosted with no reg num and only update entitlements
will result in system_slots containing 'sw_mgr_entitled' and
failed_system_slots containing 'enterprise_entitled'.
If an error occurs which prevents the creation of a profile, a fault will
be raised:
TODO
"""
add_to_seclist(password)
log_debug(4,'in new_system_user_pass')
# release_name wasn't required in the old call, so I'm just going to
# add it to other
other['release_name'] = os_release_name
# Authorize the username and password. Save the returned user object.
user = self.validate_system_user(username, password)
# This creates the rhnServer record and commits it to the db.
# It also assigns the system a base channel.
server_data = self.create_system(user, profile_name,
version,
arch,
other)
# Save the returned Server object
newserv = server_data['server']
# Get the server db id.
server_id = newserv.getid()
# Get the server certificate file
system_certificate = newserv.system_id()
log_debug(4, 'Server id created as %s' % server_id)
failures = []
unknowns = []
# Build our return values.
attempted_channels = []
successful_channels = []
failed_channels = []
actual_channels = rhnChannel.channels_for_server(server_id)
for channel in actual_channels:
successful_channels.append(channel['label'])
# If we don't have any successful channels, we know the base channel
# failed.
if len(successful_channels) == 0:
log_debug(4, 'System %s not subscribed to any channels' % server_id)
# Look up the base channel, and store it as a failure.
try:
base = rhnChannel.get_channel_for_release_arch(
version,
arch, newserv['org_id'])
failed_channels.append(base['label'])
# We want to swallow exceptions here as we are just generating data
# for the review screen in rhn_register.
except:
pass
# Store any of our child channel failures
failed_channels = failed_channels + failures
attempted_system_slots = ['enterprise_entitled', 'sw_mgr_entitled']
successful_system_slots = server_lib.check_entitlement(server_id)
successful_system_slots = successful_system_slots.keys()
failed_system_slots = []
# Check which entitlement level we got, starting with the highest.
i = 0
for slot in attempted_system_slots:
if slot in successful_system_slots:
break
i = i + 1
# Any entitlements we didn't have, we'll store as a failure.
failed_system_slots = attempted_system_slots[0:i]
universal_activation_key = []
if rhnFlags.test("universal_registration_token"):
token = rhnFlags.get("universal_registration_token")
universal_activation_key = token.get_tokens()
return { 'system_id' : system_certificate,
'channels' : successful_channels,
'failed_channels' : failed_channels,
'failed_options' : unknowns,
'system_slots' : successful_system_slots,
'failed_system_slots' : failed_system_slots,
'universal_activation_key' : universal_activation_key
}
def new_system_user_pass(self, profile_name, os_release_name,
version, arch, username,
password, other):
""" Registers a new system to an org specified by a username, password, and
optionally an org id.
New for RHEL 5.
All args are strings except other.
other is a dict with:
* org_id - optional. Must be a string that contains the number. If it's
not given, the default org is used.
* reg_num - optional. It should be an EN. It will not be activated. It's
used for automatic subscription to child channels and for deciding which
service level to entitle the machine to (managment, provisioning, etc).
If not given, the machine will only be registered to a base channel and
entitled to the highest level possible.
If a profile is created it will return a dict with:
* system_id - the same xml as was previously returned
* channels - a list of the channels (as strings) the system was
subscribed to
* failed_channels - a list of channels (as strings) that
the system should have been subscribed to but couldn't be because they
don't have the necessary entitlements available. Can contain all the
channels including the base channel.
* system_slots - a list of the system slots used (as strings).
* failed_system_slots - a list of system slots (as strings) that they
should have used but couldn't because there weren't available
entitlements
* universal_activation_key - a list of universal default activation keys
(as strings) that were used while registering.
Allowable slots are 'enterprise_entitled' (management), 'sw_mgr_entitled'
(updates), 'monitoring_entitled' (monitoring add on to management), and
provisioning_entitled (provisioning add on to management).
The call will try to use the highest system slot available. An entry will
be added to failed_system_slots for each one that is tried and fails and
system_slots will contain the one that succeeded if any.
Eg: Calling this on hosted with no reg num and only update entitlements
will result in system_slots containing 'sw_mgr_entitled' and
failed_system_slots containing 'enterprise_entitled'.
If an error occurs which prevents the creation of a profile, a fault will
be raised:
TODO
"""
add_to_seclist(password)
log_debug(4,'in new_system_user_pass')
# release_name wasn't required in the old call, so I'm just going to
# add it to other
other['release_name'] = os_release_name
# Authorize the username and password. Save the returned user object.
user = self.validate_system_user(username, password)
# This creates the rhnServer record and commits it to the db.
# It also assigns the system a base channel.
server_data = self.create_system(user, profile_name,
version,
arch,
other)
# Save the returned Server object
newserv = server_data['server']
# Get the server db id.
server_id = newserv.getid()
# Get the server certificate file
system_certificate = newserv.system_id()
log_debug(4, 'Server id created as %s' % server_id)
failures = []
unknowns = []
# Build our return values.
attempted_channels = []
successful_channels = []
failed_channels = []
actual_channels = rhnChannel.channels_for_server(server_id)
for channel in actual_channels:
successful_channels.append(channel['label'])
# If we don't have any successful channels, we know the base channel
# failed.
if len(successful_channels) == 0:
log_debug(4, 'System %s not subscribed to any channels' % server_id)
# Look up the base channel, and store it as a failure.
try:
base = rhnChannel.get_channel_for_release_arch(
version,
arch, newserv['org_id'])
failed_channels.append(base['label'])
# We want to swallow exceptions here as we are just generating data
# for the review screen in rhn_register.
except:
pass
# Store any of our child channel failures
failed_channels = failed_channels + failures
attempted_system_slots = ['enterprise_entitled', 'sw_mgr_entitled']
successful_system_slots = server_lib.check_entitlement(server_id)
successful_system_slots = successful_system_slots.keys()
failed_system_slots = []
# Check which entitlement level we got, starting with the highest.
i = 0
for slot in attempted_system_slots:
if slot in successful_system_slots:
break
i = i + 1
# Any entitlements we didn't have, we'll store as a failure.
failed_system_slots = attempted_system_slots[0:i]
universal_activation_key = []
if rhnFlags.test("universal_registration_token"):
token = rhnFlags.get("universal_registration_token")
universal_activation_key = token.get_tokens()
return { 'system_id' : system_certificate,
'channels' : successful_channels,
'failed_channels' : failed_channels,
'failed_options' : unknowns,
'system_slots' : successful_system_slots,
'failed_system_slots' : failed_system_slots,
'universal_activation_key' : universal_activation_key
}
