def list_users_by_cert(self, cert): """ Look for users matching the cert. Call Users.ListByCertificate interface and return a dict with key = domain, value = list of uids corresponding to the users matching the provided cert :param cert: DER cert, Certificate instances (IPACertificate) :raise RemoteRetrieveError: if DBus error occurs """ if isinstance(cert, crypto_x509.Certificate): cert_pem = cert.public_bytes(x509.Encoding.PEM) else: cert_obj = x509.load_der_x509_certificate(cert) cert_pem = cert_obj.public_bytes(x509.Encoding.PEM) try: # bug 3306 in sssd returns 0 entry when max_entries = 0 # Temp workaround is to use a non-null value, not too high # to avoid reserving unneeded memory max_entries = dbus.UInt32(100) user_paths = self._users_iface.ListByCertificate( cert_pem, max_entries) users = dict() for user_path in user_paths: user_obj = self._bus.get_object(DBUS_SSSD_NAME, user_path) user_iface = dbus.Interface(user_obj, DBUS_PROPERTY_IF) user_login = user_iface.Get(DBUS_SSSD_USER_IF, 'name') # Extract name@domain items = user_login.split('@') domain = api.env.realm if len(items) < 2 else items[1] name = items[0] # Retrieve the list of users for the given domain, # or initialize to an empty list # and add the name users_for_dom = users.setdefault(domain, list()) users_for_dom.append(name) return users except dbus.DBusException as e: err_name = e.get_dbus_name() # If there is no matching user, do not consider this as an # exception and return an empty list if err_name == 'org.freedesktop.sssd.Error.NotFound': return dict() logger.error( 'Failed to use interface %s. DBus ' 'exception is %s.', DBUS_SSSD_USERS_IF, e) raise errors.RemoteRetrieveError( reason=_('Failed to find users over SystemBus. ' ' See details in the error_log'))
def assess_dcerpc_exception(num=None, message=None): """ Takes error returned by Samba bindings and converts it into an IPA error class. """ if num and num in dcerpc_error_codes: return dcerpc_error_codes[num] if message and message in dcerpc_error_messages: return dcerpc_error_messages[message] reason = _('''CIFS server communication error: code "%(num)s", message "%(message)s" (both may be "None")''') % dict( num=num, message=message) return errors.RemoteRetrieveError(reason=reason)
def get_ca_certchain(ca_host=None): """ Retrieve the CA Certificate chain from the configured Dogtag server. """ if ca_host is None: ca_host = api.env.ca_host chain = None conn = httplib.HTTPConnection( ca_host, api.env.ca_install_port or configured_constants().UNSECURE_PORT) conn.request("GET", "/ca/ee/ca/getCertChain") res = conn.getresponse() doc = None if res.status == 200: data = res.read() conn.close() try: doc = xml.dom.minidom.parseString(data) try: item_node = doc.getElementsByTagName("ChainBase64") chain = item_node[0].childNodes[0].data except IndexError: try: item_node = doc.getElementsByTagName("Error") reason = item_node[0].childNodes[0].data raise errors.RemoteRetrieveError(reason=reason) except Exception, e: raise errors.RemoteRetrieveError( reason=_("Retrieving CA cert chain failed: %s") % e) finally: if doc: doc.unlink() else: raise errors.RemoteRetrieveError( reason=_("request failed with HTTP status %d") % res.status) return chain
def ca_status(ca_host=None): """Return the status of the CA, and the httpd proxy in front of it The returned status can be: - running - starting - Service Temporarily Unavailable """ if ca_host is None: ca_host = api.env.ca_host status, _headers, body = http_request(ca_host, 8080, '/ca/admin/ca/getStatus') if status == 503: # Service temporarily unavailable return status elif status != 200: raise errors.RemoteRetrieveError( reason=_("Retrieving CA status failed with status %d") % status) return _parse_ca_status(body)
def __init__(self): """ Initialize the Users object and interface. :raise RemoteRetrieveError: if DBus error occurs """ try: self._bus = dbus.SystemBus() self._users_obj = self._bus.get_object(DBUS_SSSD_NAME, DBUS_SSSD_USERS_PATH) self._users_iface = dbus.Interface(self._users_obj, DBUS_SSSD_USERS_IF) except dbus.DBusException as e: logger.error( 'Failed to initialize DBus interface %s. DBus ' 'exception is %s.', DBUS_SSSD_USERS_IF, e) raise errors.RemoteRetrieveError( reason=_('Failed to connect to sssd over SystemBus. ' 'See details in the error_log'))
def ca_status(ca_host=None, use_proxy=True): """Return the status of the CA, and the httpd proxy in front of it The returned status can be: - running - starting - Service Temporarily Unavailable """ if ca_host is None: ca_host = api.env.ca_host if use_proxy: # Use port 443 to test the proxy as well ca_port = 443 else: ca_port = 8443 status, headers, body = unauthenticated_https_request( ca_host, ca_port, '/ca/admin/ca/getStatus') if status == 503: # Service temporarily unavailable return status elif status != 200: raise errors.RemoteRetrieveError( reason=_("Retrieving CA status failed with status %d") % status) return _parse_ca_status(body)
def get_ca_certchain(ca_host=None): """ Retrieve the CA Certificate chain from the configured Dogtag server. """ if ca_host is None: ca_host = api.env.ca_host chain = None conn = httplib.HTTPConnection( ca_host, api.env.ca_install_port or 8080) conn.request("GET", "/ca/ee/ca/getCertChain") res = conn.getresponse() doc = None if res.status == 200: data = res.read() conn.close() try: doc = json.loads(data) chain = doc['Response']['ChainBase64'] except (json.JSONDecodeError, KeyError): logger.debug("Response is not valid JSON, try XML") doc = xml.dom.minidom.parseString(data) try: item_node = doc.getElementsByTagName("ChainBase64") chain = item_node[0].childNodes[0].data except IndexError: raise error_from_xml( doc, _("Retrieving CA cert chain failed: %s")) finally: if doc: doc.unlink() else: raise errors.RemoteRetrieveError( reason=_("request failed with HTTP status %d") % res.status) return chain
from ipaserver.ipaldap import IPAdmin from ipalib.session import krbccache_dir, krbccache_prefix from ipapython import dnsclient __doc__ = _(""" Classes to manage trust joins using DCE-RPC calls The code in this module relies heavily on samba4-python package and Samba4 python bindings. """) access_denied_error = errors.ACIError( info=_('CIFS server denied your credentials')) dcerpc_error_codes = { -1073741823: errors.RemoteRetrieveError( reason=_('communication with CIFS server was unsuccessful')), -1073741790: access_denied_error, -1073741715: access_denied_error, -1073741614: access_denied_error, -1073741603: errors.ValidationError(name=_('AD domain controller'), error=_('unsupported functional level')), } dcerpc_error_messages = { "NT_STATUS_OBJECT_NAME_NOT_FOUND": errors.NotFound(reason=_('Cannot find specified domain or server name')), "NT_STATUS_INVALID_PARAMETER_MIX":