def __init__(self, dict=None):
self.ifaces = {}
self.db_ifaces = []
# parameters which are not allowed to be empty and set to NULL
self._autonull = ('ip_addr','netmask','broadcast','hw_addr','module')
if not dict:
return
for name, info in dict.items():
if name == 'class':
# Ignore it
continue
if not isinstance(info, type({})):
raise rhnFault(53, "Unexpected format for interface %s" %
name)
vdict = {}
for key, mapping in self.key_mapping.items():
# Look at the mapping first; if not found, look for the key
if info.has_key(mapping):
k = mapping
else:
k = key
if not info.has_key(k):
raise rhnFault(53, "Unable to find required field %s"
% key)
val = info[k]
if mapping in ['ip_addr', 'netmask', 'broadcast']:
# bugzilla: 129840 kudzu (rhpl) will sometimes pad octets
# with leading zeros, causing confusion; clean those up
val = cleanse_ip_addr(val)
vdict[mapping] = val
self.ifaces[name] = vdict
def check_user_password(username, password):
# username is required
if not username:
raise rhnFault(11)
# password is required
if not password:
raise rhnFault(12)
if len(username) < CFG.MIN_USER_LEN:
raise rhnFault(13, _("username should be at least %d characters")
% CFG.MIN_USER_LEN)
if len(username) > CFG.MAX_USER_LEN:
raise rhnFault(700, _("username should be less than %d characters")
% CFG.MAX_USER_LEN)
username = username[:CFG.MAX_USER_LEN]
# Invalid characters
# ***NOTE*** Must coordinate with web and installer folks about any
# changes to this set of characters!!!!
invalid_re = re.compile(".*[\s&+%'`\"=#]", re.I)
tmp = invalid_re.match(username)
if tmp is not None:
pos = tmp.regs[0]
raise rhnFault(15, _("username = `%s', invalid character `%s'") % (
username, username[pos[1]-1]))
# use new password validation method
validate_new_password(password)
return username, password
def entitle(self, server_id, history, virt_type = None):
"""
Entitle a server according to the entitlements we have configured.
"""
log_debug(3, self.entitlements)
entitle_server = rhnSQL.Procedure("rhn_entitlements.entitle_server")
# TODO: entitle_server calls can_entitle_server, so we're doing this
# twice for each successful call. Is it necessary for external error
# handling or can we ditch it?
can_entitle_server = rhnSQL.Function(
"rhn_entitlements.can_entitle_server", rhnSQL.types.NUMBER())
can_ent = None
history["entitlement"] = ""
# Do a quick check to see if both virt entitlements are present. (i.e.
# activation keys stacked together) If so, give preference to the more
# powerful virtualization platform and remove the regular virt
# entitlement from the list.
found_virt = False
found_virt_platform = False
for entitlement in self.entitlements:
if entitlement[0] == VIRT_ENT_LABEL:
found_virt = True
elif entitlement[0] == VIRT_PLATFORM_ENT_LABEL:
found_virt_platform = True
for entitlement in self.entitlements:
if virt_type is not None and entitlement[0] in \
(VIRT_ENT_LABEL, VIRT_PLATFORM_ENT_LABEL):
continue
# If both virt entitlements are present, skip the least powerful:
if found_virt and found_virt_platform and entitlement[0] == VIRT_ENT_LABEL:
log_debug(1, "Virtualization and Virtualization Platform " +
"entitlements both present.")
log_debug(1, "Skipping Virtualization.")
continue
try:
can_ent = can_entitle_server(server_id, entitlement[0])
except rhnSQL.SQLSchemaError, e:
can_ent = 0
try:
# bugzilla #160077, skip attempting to entitle if we cant
if can_ent:
entitle_server(server_id, entitlement[0])
except rhnSQL.SQLSchemaError, e:
log_error("Token failed to entitle server", server_id,
self.get_names(), entitlement[0], e.errmsg)
if e.errno == 20220:
#ORA-20220: (servergroup_max_members) - Server group membership
#cannot exceed maximum membership
raise rhnFault(91,
_("Registration failed: RHN Software Management service entitlements exhausted"))
#No idea what error may be here...
raise rhnFault(90, e.errmsg)
def updateDist(self, kwargs, username, password):
log_debug(3)
self._auth(username, password)
if not kwargs.get('release'):
raise rhnFault(23, "Insufficient data, release missing to update dist", explain=0)
if not kwargs.get('os'):
kwargs['os'] = 'Red Hat Linux'
if kwargs.get('channel_id') is None:
# Missing stuff
raise rhnFault(23, "Insufficient data, channel_id missing to update dist", explain=0)
if kwargs.get('channel_arch_id') is None:
# Missing stuff
raise rhnFault(23, "Insufficient data, channel arch id missing to update dist", explain=0)
try:
rhnSQL.execute("""
insert into rhnDistChannelMap
(channel_id, channel_arch_id, os, release)
values
(:channel_id, :channel_arch_id, :os, :release)
""", kwargs)
except rhnSQL.SQLError, e:
rhnSQL.rollback()
raise rhnFault(23, str(e.args[1]), explain=0 )
def get_package_path(server_id, pkg_spec, channel):
log_debug(3, server_id, pkg_spec, channel)
if isinstance(pkg_spec, ListType):
pkg = pkg_spec[:4]
#Insert EPOCH
pkg.insert(1, None)
else:
pkg = parseRPMFilename(pkg_spec)
if pkg is None:
log_debug(4, "Error", "Requested weird package", pkg_spec)
raise rhnFault(17, _("Invalid RPM package %s requested") % pkg_spec)
statement = """
select p.id, p.path path, pe.epoch epoch
from
rhnPackageArch pa,
rhnChannelPackage cp,
rhnPackage p,
rhnPackageEVR pe,
rhnServerChannel sc,
rhnPackageName pn,
rhnChannel c
where 1=1
and c.label = :channel
and pn.name = :name
and sc.server_id = :server_id
and pe.version = :ver
and pe.release = :rel
and c.id = sc.channel_id
and c.id = cp.channel_id
and pa.label = :arch
and pn.id = p.name_id
and p.id = cp.package_id
and p.evr_id = pe.id
and sc.channel_id = cp.channel_id
and p.package_arch_id = pa.id
"""
h = rhnSQL.prepare(statement)
pkg = map(str, pkg)
h.execute(name = pkg[0], ver = pkg[2], rel = pkg[3], arch = pkg[4],
channel = channel, server_id = server_id)
rs = h.fetchall_dict()
if not rs:
log_debug(4, "Error", "Non-existant package requested", server_id,
pkg_spec, channel)
raise rhnFault(17, _("Invalid RPM package %s requested") % pkg_spec)
# It is unlikely for this query to return more than one row,
# but it is possible
# (having two packages with the same n, v, r, a and different epoch in
# the same channel is prohibited by the RPM naming scheme; but extra
# care won't hurt)
max_row = rs[0]
for each in rs[1:]:
# Compare the epoch as string
if _none2emptyString(each['epoch']) > _none2emptyString(max_row['epoch']):
max_row = each
# Set the flag for the proxy download accelerator
rhnFlags.set("Download-Accelerator-Path", max_row['path'])
return check_package_file(max_row['path'], max_row['id'], pkg_spec), max_row['id']
def _get_file_revision(self, config_channel, revision, path):
if revision and not revision.isdigit():
raise rhnFault(4016, "Invalid revision number '%s' specified for path %s "
"in channel %s" % (revision, path, config_channel),
explain=0)
f = self._get_file(config_channel, path, revision=revision)
if not f:
raise rhnFault(4011, "File %s (revision %s) does not exist "
"in channel %s" % (path, revision, config_channel),
explain=0)
if f['label'] == 'file' and f['is_binary'] == 'Y':
raise rhnFault(4004, "File %s (revision %s) seems to contain "
"binary data" % (path, revision),
explain=0)
# We have to read the contents of the first file here, because the LOB
# object is tied to a cursor; if we re-execute the cursor, the LOB
# seems to be invalid (bug 151220)
# Empty files or directories may have NULL instead of lobs
fd, f['filename'] = tempfile.mkstemp(prefix = '/tmp/rhncfg-')
fc_lob = f.get('file_contents')
if fc_lob:
os.write(fd, rhnSQL.read_lob(fc_lob))
os.close(fd)
del fc_lob
return f
def __processPackage(package, org_id, channels, source):
log_debug(4, org_id, channels, source)
if 'md5sum' in package: # for old rhnpush compatibility
package['checksum_type'] = 'md5'
package['checksum'] = package['md5sum']
del(package['md5sum'])
if 'checksum' not in package:
raise rhnFault(50, "The package's checksum digest has not been specified")
if not package.has_key('packageSize'):
raise rhnFault(50, "The package size has not been specified")
header = rhn_rpm.headerLoad(package['header'].data)
if not header:
raise rhnFault(50)
packageSize = package['packageSize']
relpath = package.get('relativePath')
if package.has_key('header_start'):
header_start = package['header_start']
else:
header_start = 0
if package.has_key('header_end'):
header_end = package['header_end']
else:
# Just say the whole package
header_end = packageSize
checksum_type = package['checksum_type']
checksum = package['checksum']
p = createPackage(header, packageSize, checksum_type, checksum, relpath, org_id,
header_start, header_end, channels)
return p
def auth_client(self, token):
""" Authenticate a system based on the same authentication tokens
the client is sending for GET requests
"""
log_debug(3)
# Build a UserDictCase out of the token
dict = UserDictCase(token)
# Set rhnFlags so that we can piggyback on apacheAuth's auth_client
rhnFlags.set('AUTH_SESSION_TOKEN', dict)
# XXX To clean up apacheAuth.auth_client's logging, this is not about
# GET requests
result = apacheAuth.auth_client()
if not result:
raise rhnFault(33, _("Invalid session key"))
log_debug(4, "Client auth OK")
# We checked it already, so we're sure it's there
client_id = dict['X-RHN-Server-Id']
server = rhnServer.search(client_id)
if not server:
raise rhnFault(8, _("This server ID no longer exists"))
# XXX: should we check if the username still has access to it?
# probably not, because there is no known good way we can
# update the server system_id on the client side when
# permissions change... Damn it. --gafton
self.server = server
self.server_id = client_id
self.user = dict['X-RHN-Auth-User-Id']
return server
def validate_new_password(password):
log_debug(3, "Entered validate_new_password")
#
# We're copying the code because we don't want to
# invalidate any of the existing passwords.
#
# Validate password based on configurable length
# regular expression
if not password:
raise rhnFault(12)
if len(password) < CFG.MIN_PASSWD_LEN:
raise rhnFault(14, _("password must be at least %d characters")
% CFG.MIN_PASSWD_LEN)
if len(password) > CFG.MAX_PASSWD_LEN:
raise rhnFault(701, _("Password must be shorter than %d characters")
% CFG.MAX_PASSWD_LEN)
password = password[:CFG.MAX_PASSWD_LEN]
invalid_re = re.compile(
r"[^ A-Za-z0-9`!@#$%^&*()-_=+[{\]}\\|;:'\",<.>/?~]")
asterisks_re = re.compile(r"^\**$")
# make sure the password isn't all *'s
tmp = asterisks_re.match(password)
if tmp is not None:
raise rhnFault(15, "password cannot be all asterisks '*'")
# make sure we have only printable characters
tmp = invalid_re.search(password)
if tmp is not None:
pos = tmp.regs[0]
raise rhnFault(15,
_("password contains character `%s'") % password[pos[1]-1])
def getAnyChecksum(self, info, username = None, password = None, session = None, is_source = 0):
""" returns checksum info of available packages
also does an existance check on the filesystem.
"""
log_debug(3)
pkg_infos = info.get('packages')
channels = info.get('channels', [])
force = info.get('force', 0)
orgid = info.get('org_id')
if orgid == 'null':
null_org=1
else:
null_org=None
if not session:
org_id, force = rhnPackageUpload.authenticate(username, password,
channels=channels,
null_org=null_org,
force=force)
else:
try:
org_id, force = rhnPackageUpload.authenticate_session(
session, channels=channels, null_org=null_org, force=force)
except rhnSession.InvalidSessionError:
raise rhnFault(33)
except rhnSession.ExpiredSessionError:
raise rhnFault(34)
if is_source:
ret = self._getSourcePackageChecksum(org_id, pkg_infos)
else:
ret = self._getPackageChecksum(org_id, pkg_infos)
return ret
def _repodata_taskomatic(self, file_name):
log_debug(3, 'repodata', file_name)
content_type = "application/x-gzip"
if file_name in ["repomd.xml", "comps.xml"]:
content_type = "text/xml"
elif file_name not in ["primary.xml.gz", "other.xml.gz",
"filelists.xml.gz", "updateinfo.xml.gz"]:
log_debug(2, "Unknown repomd file requested: %s" % file_name)
raise rhnFault(6)
# XXX this won't be repconned or CDNd
if file_name == "comps.xml":
return self._repodata_python(file_name)
file_path = "%s/%s/%s" % (CFG.REPOMD_PATH_PREFIX, self.channelName, file_name)
rhnFlags.set('Content-Type', content_type)
try:
rhnFlags.set('Download-Accelerator-Path', file_path)
return self._getFile(CFG.REPOMD_CACHE_MOUNT_POINT + "/" + file_path)
except IOError, e:
# For file not found, queue up a regen, and return 404
if e.errno == 2 and file_name != "comps.xml":
taskomatic.add_to_repodata_queue(self.channelName,
"repodata request", file_name, bypass_filters=True)
rhnSQL.commit()
# This returns 404 to the client
raise rhnFault(6)
raise e
def headerParserHandler(self, req):
ret = basePackageUpload.BasePackageUpload.headerParserHandler(self, req)
# Optional headers
maps = [['Null-Org', 'null_org'], ['Packaging', 'packaging']]
for hn, sn in maps:
header_name = "%s-%s" % (self.header_prefix, hn)
if req.headers_in.has_key(header_name):
setattr(self, sn, req.headers_in[header_name])
if ret != apache.OK:
return ret
if CFG.SEND_MESSAGE_TO_ALL:
rhnSQL.closeDB()
log_debug(1, "send_message_to_all is set")
rhnFlags.set("apache-return-code", apache.HTTP_NOT_FOUND)
try:
outage_message = open(CFG.MESSAGE_TO_ALL).read()
except IOError:
log_error("Missing outage message file")
outage_message = "Outage mode"
raise rhnFault(20001, outage_message, explain=0)
# Init the database connection
rhnSQL.initDB()
use_session = 0
if self.field_data.has_key('Auth-Session'):
session_token = self.field_data['Auth-Session']
use_session = 1
else:
encoded_auth_token = self.field_data['Auth']
if not use_session:
auth_token = self.get_auth_token(encoded_auth_token)
if len(auth_token) < 2:
log_debug(3, auth_token)
raise rhnFault(105, "Unable to autenticate")
self.username, self.password = auth_token[:2]
force = self.field_data['Force']
force = int(force)
log_debug(1, "Username", self.username, "Force", force)
if use_session:
self.org_id, self.force = rhnPackageUpload.authenticate_session(session_token,
force=force, null_org=self.null_org)
else:
# We don't push to any channels
self.org_id, self.force = rhnPackageUpload.authenticate(self.username,
self.password, force=force, null_org=self.null_org)
nevra = [self.package_name, "", self.package_version,
self.package_release, self.package_arch]
return apache.OK
def _get_item_id(self, prefix, name, errnum, errmsg):
prefix_len = len(prefix)
if name[:prefix_len] != prefix:
raise rhnFault(errnum, errmsg % name)
try:
id = int(name[prefix_len:])
except ValueError:
raise rhnFault(errnum, errmsg % name)
return id
def _auth(self, username, password):
if not (username and password):
raise rhnFault(50, "Missing username/password arguments", explain=0)
authobj = auth(username, password)
if not authobj:
raise rhnFault(50, "Invalid username/password arguments", explain=0)
return authobj
def auth_username_password(username, password):
user = search(username)
if not user:
raise rhnFault(2, _("Invalid username/password combination"))
if not user.check_password(password):
raise rhnFault(2, _("Invalid username/password combination"))
return user
def check_package_file(rel_path, logpkg, raisepkg):
if rel_path is None:
log_error("Package path null for package id", logpkg)
raise rhnFault(17, _("Invalid RPM package %s requested") % raisepkg)
filePath = "%s/%s" % (CFG.MOUNT_POINT, rel_path)
if not os.access(filePath, os.R_OK):
# Package not found on the filesystem
log_error("Package not found", filePath)
raise rhnFault(17, _("Package not found"))
return filePath
def header(self, system_id, pkgList):
""" Clients v1-
IN: system_id: ....
a package identifier (or a list of them)
[n,v,r,e] or
[[n,v,r,e],...]
OUT: If Proxy:
If Client:
"""
log_debug(5, system_id, pkgList)
if type(pkgList) not in (ListType, TupleType) or not len(pkgList):
log_error("Invalid package list spec", type(pkgList),
"len = %d" % len(pkgList))
raise rhnFault(30, _("Invalid value %s (type %s)") % (
pkgList, type(pkgList)))
# Okay, it's a list; is it a list of lists?
if type(pkgList[0]) is StringType:
# Wrap it in a list
pkgList = [pkgList]
# Now check all params
req_list = []
for p in pkgList:
req_list.append(check_package_spec(p))
# Authenticate the system certificate
server = self.auth_system('header', system_id)
# log the entry
log_debug(1, self.server_id, "items: %d" % len(req_list))
rpmHeaders = []
for pkg in pkgList:
# Authorize this package fetch.
# XXX: a bit heavy-handed I think... but old client stuff.
# NOTE: pkg for old client is [n,v,r,e]
path = rhnPackage.get_package_path_compat_arches(
self.server_id, pkg, server.archname)
# read the header from the file on disk
h = rhn_rpm.get_package_header(filename=path)
if h is None:
log_error("Unable to read package header", pkg)
raise rhnFault(17,
_("Unable to retrieve package header %s") % str(pkg))
rpmHeaders.append(rpclib.xmlrpclib.Binary(h.unload()))
del h
# Reset the flag for the proxy download accelerator
# This gets set by default in rhnPackage
rhnFlags.set("Download-Accelerator-Path", None)
if CFG.COMPRESS_HEADERS:
# Compress
rhnFlags.set("compress_response", 1)
return rpmHeaders
def entitle(self, server_id, history, virt_type = None):
for ent in self.remove_entitlements:
unentitle_server = rhnSQL.Procedure(
"rhn_entitlements.remove_server_entitlement")
try:
unentitle_server(server_id, ent, 0)
except rhnSQL.SQLSchemaError, e:
log_error("Failed to unentitle server", server_id,
ent, e.errmsg)
raise rhnFault(90, e.errmsg)
except rhnSQL.SQLError, e:
log_error("Failed to unentitle server", server_id,
ent, e.args)
raise rhnFault(90, str(e))
def headerParserHandler(self, req):
""" This whole function is ugly as hell. The Auth field in the header used to be required, but now
it must have either the Auth field or the Auth-Session field.
"""
# Initialize the logging
log_debug(3, "Method", req.method)
#Header string. This is what the Auth-Session field will look like in the header.
session_header = "%s-%s" % (self.header_prefix, "Auth-Session")
# legacy rhnpush sends File-MD5sum; translate it into File-Checksum
md5sum_header = "%s-%s" % (self.header_prefix, "File-MD5sum")
if req.headers_in.has_key(md5sum_header):
req.headers_in["%s-%s" % (self.header_prefix, "File-Checksum-Type")] = 'md5'
req.headers_in["%s-%s" % (self.header_prefix, "File-Checksum")] = \
req.headers_in[md5sum_header]
for f in self.required_fields:
hf = "%s-%s" % (self.header_prefix, f)
if not req.headers_in.has_key(hf):
#If the current field is Auth and Auth-Session field isn't present, something is wrong.
if f == "Auth" and not req.headers_in.has_key(session_header):
log_debug(4, "Required field %s missing" % f)
raise rhnFault(500, f)
#The current field is Auth and the Auth-Session field is present, so everything is good.
elif f == "Auth" and req.headers_in.has_key(session_header):
self.field_data["Auth-Session"] = req.headers_in[session_header]
continue
#The current field being looked for isn't the Auth field and it's missing, so something is wrong.
else:
log_debug(4, "Required field %s missing" % f)
raise rhnFault(500, f)
if not (f == "Auth" and not req.headers_in.has_key(hf)):
self.field_data[f] = req.headers_in[hf]
else:
if req.headers_in.has_key(session_header):
self.field_data[f] = req.headers_in[hf]
self.package_name = self.field_data["Package-Name"]
self.package_version = self.field_data["Package-Version"]
self.package_release = self.field_data["Package-Release"]
self.package_arch = self.field_data["Package-Arch"]
self.file_checksum_type = self.field_data["File-Checksum-Type"]
self.file_checksum = self.field_data["File-Checksum"]
#4/18/05 wregglej. if 1051 is in the header's keys, then it's a nosrc package.
self.is_source = (self.package_arch == 'src' or self.package_arch == 'nosrc')
return apache.OK
def auth_client():
""" Authenticates a request from a client
For an unsigned request, this function returns 0 (request should be
coming from a client).
"""
log_debug(3)
if not rhnFlags.test("AUTH_SESSION_TOKEN"):
# No auth information; decline any GET action (XMLRPC requests
# ignore this error).
log_debug(4, "declined client authentication for GET requests")
return 0
token = rhnFlags.get("AUTH_SESSION_TOKEN")
# Check to see if everything we need to compute the signature is there
for k in ('X-RHN-Server-Id',
'X-RHN-Auth',
'X-RHN-Auth-Server-Time',
'X-RHN-Auth-Expire-Offset'):
if not token.has_key(k):
# No auth information; decline any action
log_debug(4, "Declined auth of client for GET requests; "
"incomplete header info.")
return 0
clientId = token['X-RHN-Server-Id']
username = token['X-RHN-Auth-User-Id']
signature = token['X-RHN-Auth']
rhnServerTime = token['X-RHN-Auth-Server-Time']
expireOffset = token['X-RHN-Auth-Expire-Offset']
computed = computeSignature(CFG.SECRET_KEY, clientId, username,
rhnServerTime, expireOffset)
if computed != signature:
log_debug(4, "Sent client signature %s does not match ours %s." % (
signature, computed))
raise rhnFault(33, "Invalid client session key")
# Convert the expiration/time to floats:
rhnServerTime = float(rhnServerTime)
expireOffset = float(expireOffset)
if rhnServerTime + expireOffset < time.time():
log_debug(4, "Expired client authentication token")
raise rhnFault(34, "Expired client authentication token")
log_debug(4, "Client auth OK")
return 1
def getPackagePath(self, pkgFilename):
""" OVERLOADS getPackagePath in common/rhnRepository.
Returns complete path to an RPM file.
"""
log_debug(3, pkgFilename)
mappingName = "package_mapping:%s:" % self.channelName
pickledMapping = self._cacheObj(mappingName, self.channelVersion, self.__channelPackageMapping, ())
mapping = cPickle.loads(pickledMapping)
# If the file name has parameters, it's a different kind of package.
# Determine the architecture requested so we can construct an
# appropriate filename.
if type(pkgFilename) == types.ListType:
arch = pkgFilename[3]
if isSolarisArch(arch):
pkgFilename = "%s-%s-%s.%s.pkg" % (pkgFilename[0], pkgFilename[1], pkgFilename[2], pkgFilename[3])
if not mapping.has_key(pkgFilename):
log_error("Package not in mapping: %s" % pkgFilename)
raise rhnFault(17, _("Invalid RPM package requested: %s") % pkgFilename)
filePath = "%s/%s" % (CFG.PKG_DIR, mapping[pkgFilename])
log_debug(4, "File path", filePath)
if not os.access(filePath, os.R_OK):
log_debug(4, "Package not found locally: %s" % pkgFilename)
raise NotLocalError(filePath, pkgFilename)
return filePath
def auth_proxy():
""" Authenticates a proxy carrying a clients request. For a valid or
unsigned request, this function returns 1 (OK), otherwise it raises
rhnFault
NOTE: X-RHN-Proxy-Auth described in proxy/broker/rhnProxyAuth.py
"""
log_debug(3)
headers = rhnFlags.get('outputTransportOptions')
if not rhnFlags.test('X-RHN-Proxy-Auth'):
# No auth information; decline any action
log_debug(4, "declined proxy authentication")
headers['X-RHN-Proxy-Auth-Error'] = '%s:%s' % (
1003, _("declined proxy authentication"))
raise rhnFault(1003) # Invalid session key
# NOTE:
# - < v3.1 RHN proxies send only 1 token in this header
# - > v3.1: we send the route of the requests via multiple tokens
# "token1:hostname1,token2:hostname2" the first tuple is the first
# proxy hit.
tokens = string.split(rhnFlags.get('X-RHN-Proxy-Auth'), ',')
tokens = filter(lambda token: token, tokens)
for auth_token in tokens:
_verifyProxyAuthToken(auth_token)
# if no rhnFault was raised then the tokens all passed
return 1
def getUserGroupsFromUserInstance(user_instance):
log_debug(4, user_instance.getid())
user = user_instance
if not user:
log_debug("null user")
raise rhnFault(2)
#Don't need to check the password, the session should have already been checked.
# Get the org id
org_id = user.contact['org_id']
user_id = user.getid()
h = rhnSQL.prepare("""
select ugt.label
from rhnUserGroupType ugt,
rhnUserGroup ug,
rhnUserGroupMembers ugm
where ugm.user_id = :user_id
and ugm.user_group_id = ug.id
and ug.group_type = ugt.id
""")
h.execute(user_id=user_id)
groups = []
while 1:
row = h.fetchone_dict()
if not row:
break
groups.append(row['label'])
return groups, org_id, user_id
def authzChannels(self, channels):
log_debug(4, channels)
if not channels:
return
if 'rhn_superuser' in self.groups:
log_debug(4, "Is superuser")
return None
# rhn_channel.user_role_check checks for the ownership of the channel
# by this user's org
h = rhnSQL.prepare("""
select rhn_channel.user_role_check(id, :user_id, 'manage') manage
from rhnChannel
where label = :channel
""")
for channel in channels:
h.execute(channel=channel, user_id=self.user_id)
row = h.fetchone_dict()
# Either the channel doesn't exist, or not allowed to manage it
if not row or not row['manage']:
raise rhnFault(32,
_("You are not allowed to manage channel %s, or that "
"channel does not exist") % channel)
log_debug(4, "User %s allowed to manage channel %s" %
(self.user_id, channel))
return None
def dump_errata(self, errata, verify_errata=False):
log_debug(2)
errata_hash = {}
if verify_errata:
h = self.get_errata_statement()
for erratum in errata:
errata_id = self._get_item_id('rhn-erratum-', str(erratum),
3004, "Wrong erratum name %s")
if errata_hash.has_key(errata_id):
# Already verified
continue
h.execute(errata_id=errata_id)
row = h.fetchone_dict()
if not row:
# XXX Silently ignore it?
raise rhnFault(3005, "No such erratum %s" % erratum)
# Saving the row, it's handy later when we create the iterator
errata_hash[errata_id] = row
else:
for erratum in errata:
errata_hash[erratum['errata_id']] = erratum
self._write_dump(ErrataDumper, params=errata_hash.values())
return 0
def _packages(self, packages, prefix, dump_class, sources=0,
verify_packages=False):
packages_hash = {}
if verify_packages:
if sources:
h = self.get_source_packages_statement()
else:
h = self.get_packages_statement()
for package in packages:
package_id = self._get_item_id(prefix, str(package),
3002, 'Invalid package name %s')
if packages_hash.has_key(package_id):
# Already verified
continue
h.execute(package_id=package_id)
row = h.fetchone_dict()
if not row:
# XXX Silently ignore it?
raise rhnFault(3003, "No such package %s" % package)
# Saving the row, it's handy later when we create the iterator
packages_hash[package_id] = row
else:
for package in packages:
packages_hash[package['package_id']] = package
self._write_dump(dump_class, params=packages_hash.values())
return 0
def client_set_namespaces(self, systemid, namespaces):
self.auth_system(systemid)
server_id = self.server.getid()
org_id = self.server.server['org_id']
h = rhnSQL.prepare("""
delete from rhnServerConfigChannel where server_id = :server_id
""")
h.execute(server_id=server_id)
h = rhnSQL.prepare("""
insert into rhnServerConfigChannel (server_id, config_channel_id, position)
select :server_id, id, :position
from rhnConfigChannel
where name = :config_channel
and org_id = :org_id
""")
position = 0
for config_channel in namespaces:
rowcount = h.execute(server_id=server_id, position=position,
config_channel=config_channel, org_id=org_id)
if not rowcount:
raise rhnFault(4009, "Unable to find config channel %s" %
config_channel, explain=0)
position = position + 1
rhnSQL.commit()
return 0
def client_upload_file(self, systemid, action_id, file):
self.auth_system(systemid)
log_debug(1, self.server_id, action_id)
# Validate that the action indeed applies
h = rhnSQL.prepare(self._query_client_upload_files)
h.execute(server_id=self.server_id, action_id=action_id)
row = h.fetchone_dict()
if not row:
raise rhnFault(4002, "Action not available for this server")
if row['action_status'] != 'Picked Up':
raise rhnFault(4002, "Improper action for this server")
config_channel_id = row['config_channel_id']
return self.push_file(config_channel_id, file)
def validate_new_username(username):
log_debug(3)
if len(username) < CFG.MIN_NEW_USER_LEN:
raise rhnFault(13, _("username should be at least %d characters long")
% CFG.MIN_NEW_USER_LEN)
disallowed_suffixes = CFG.DISALLOWED_SUFFIXES or []
if not isinstance(disallowed_suffixes, type([])):
disallowed_suffixes = [ disallowed_suffixes ]
log_debug(4, "Disallowed suffixes", disallowed_suffixes)
for suffix in disallowed_suffixes:
if string.upper(username[-len(suffix):]) == string.upper(suffix):
raise rhnFault(106, _("Cannot register usernames ending with %s") %
suffix)
def __reserve_user_db(user, password):
encrypted_password = CFG.encrypted_passwords
log_debug(3, user, CFG.disallow_user_creation, encrypted_password, CFG.pam_auth_service)
user = str(user)
h = rhnSQL.prepare("""
select w.id, w.password, w.old_password, w.org_id, ui.use_pam_authentication
from web_contact w, rhnUserInfo ui
where w.login_uc = upper(:p1)
and w.id = ui.user_id
""")
h.execute(p1=user)
data = h.fetchone_dict()
if data and data["id"]:
# contact exists, check password
if data['use_pam_authentication'] == 'Y' and CFG.pam_auth_service:
# We use PAM for authentication
import rhnAuthPAM
if rhnAuthPAM.check_password(user, password, CFG.pam_auth_service) > 0:
return 1
return -1
if check_password(password, data['password'], data['old_password']) > 0:
return 1
return -1
# user doesn't exist. now we fail, instead of reserving user.
if CFG.disallow_user_creation:
raise rhnFault(2001)
# now check the reserved table
h = rhnSQL.prepare("""
select r.login, r.password from rhnUserReserved r
where r.login_uc = upper(:p1)
""")
h.execute(p1=user)
data = h.fetchone_dict()
if data and data["login"]:
# found already reserved
if check_password(password, data["password"], None) > 0:
return 1
return -2
validate_new_username(user)
log_debug(3, "calling validate_new_password" )
validate_new_password(password)
# this is not reserved either, register it
if encrypted_password:
# Encrypt the password, let the function pick the salt
password = encrypt_password(password)
h = rhnSQL.prepare("""
insert into rhnUserReserved (login, password)
values (:username, :password)
""")
h.execute(username=user, password=password)
rhnSQL.commit()
# all should be dandy
return 0