def initDB(backend=None, host=None, port=None, username=None, password=None, database=None, sslmode=None, sslrootcert=None): """ Initialize the database. Either we get backend and all parameter which means the caller knows what they are doing, or we populate everything from the config files. """ if backend is None: if CFG is None or not CFG.is_initialized(): initCFG('server') backend = CFG.DB_BACKEND host = CFG.DB_HOST port = CFG.DB_PORT database = CFG.DB_NAME username = CFG.DB_USER password = CFG.DB_PASSWORD sslmode = None sslrootcert = None if CFG.DB_SSL_ENABLED: sslmode = 'verify-full' sslrootcert = CFG.DB_SSLROOTCERT if backend not in SUPPORTED_BACKENDS: raise rhnException("Unsupported database backend", backend) if port: port = int(port) # Hide the password add_to_seclist(password) try: __init__DB(backend, host, port, username, password, database, sslmode, sslrootcert) __init__DB2(backend, host, port, username, password, database, sslmode, sslrootcert) # except (rhnException, SQLError): # raise # pass on, we know those ones # except (KeyboardInterrupt, SystemExit): # raise except SQLConnectError, e: try: global __DB global __DB2 del __DB del __DB2 except NameError: pass raise e
def initDB(backend=None, host=None, port=None, username=None, password=None, database=None, sslmode=None, sslrootcert=None, initsecond=False): """ Initialize the database. Either we get backend and all parameter which means the caller knows what they are doing, or we populate everything from the config files. initsecond: If set to True it initialize a second DB connection. By default only one DB connection is needed. """ if backend is None: if CFG is None or not CFG.is_initialized(): initCFG('server') backend = CFG.DB_BACKEND host = CFG.DB_HOST port = CFG.DB_PORT database = CFG.DB_NAME username = CFG.DB_USER password = CFG.DB_PASSWORD sslmode = None sslrootcert = None if CFG.DB_SSL_ENABLED: sslmode = 'verify-full' sslrootcert = CFG.DB_SSLROOTCERT if backend not in SUPPORTED_BACKENDS: raise rhnException("Unsupported database backend", backend) if port: port = int(port) # Hide the password add_to_seclist(password) try: if initsecond == False: __init__DB(backend, host, port, username, password, database, sslmode, sslrootcert) else: __init__DB2(backend, host, port, username, password, database, sslmode, sslrootcert) # except (rhnException, SQLError): # raise # pass on, we know those ones # except (KeyboardInterrupt, SystemExit): # raise except SQLConnectError: e = sys.exc_info()[1] try: closeDB() except NameError: pass raise_with_tb(e, sys.exc_info()[2]) except: raise #e_type, e_value = sys.exc_info()[:2] # raise rhnException("Could not initialize Oracle database connection", # str(e_type), str(e_value)) return 0
def initDB(backend=None, host=None, port=None, username=None, password=None, database=None, sslmode=None, sslrootcert=None, initsecond=False): """ Initialize the database. Either we get backend and all parameter which means the caller knows what they are doing, or we populate everything from the config files. initsecond: If set to True it initialize a second DB connection. By default only one DB connection is needed. """ if backend is None: if CFG is None or not CFG.is_initialized(): initCFG('server') backend = CFG.DB_BACKEND host = CFG.DB_HOST port = CFG.DB_PORT database = CFG.DB_NAME username = CFG.DB_USER password = CFG.DB_PASSWORD sslmode = None sslrootcert = None if CFG.DB_SSL_ENABLED: sslmode = 'verify-full' sslrootcert = CFG.DB_SSLROOTCERT if backend not in SUPPORTED_BACKENDS: raise rhnException("Unsupported database backend", backend) if port: port = int(port) # Hide the password add_to_seclist(password) try: if initsecond == False: __init__DB(backend, host, port, username, password, database, sslmode, sslrootcert) else: __init__DB2(backend, host, port, username, password, database, sslmode, sslrootcert) # except (rhnException, SQLError): # raise # pass on, we know those ones # except (KeyboardInterrupt, SystemExit): # raise except SQLConnectError: e = sys.exc_info()[1] try: closeDB() except NameError: pass raise e except: raise #e_type, e_value = sys.exc_info()[:2] # raise rhnException("Could not initialize Oracle database connection", # str(e_type), str(e_value)) return 0
def new_system(self, data): """ This function expects at the INPUT a dictionary that has at least the following members: username, password, os_release, email If the username does not exist, it is created. If the username exists, then password is checked for a match. If all is well, we send back a server certificate. -- Hash -- Struct Starting with RHEL 5, the client will use activate_registration_number, activate_hardware_info, new_system_user_pass, and/or new_system_activation_key instead of this. In hosted, RHEL 4 and earlier will also call activate_registration_number """ if data.has_key("password"): add_to_seclist(data["password"]) # Validate we got the minimum necessary input. self.validate_system_input(data) # Authorize username and password, if used. # Store the user object in user. user = None if not data.has_key('token'): user = self.validate_system_user(data["username"], data["password"]) release_version = data['os_release'] profile_name = data['profile_name'] architecture = data['architecture'] # Create the system and get back the rhnServer object. # # bretm 02/19/2007 -- the following things get thrown underneath, # but we issue the faults in create_system for uniformity: # # rhnChannel.SubscriptionCountExceeded # rhnChannel.BaseChannelDeniedError # rhnChannel.NoBaseChannelError # rhnSystemEntitlementException # | # +--rhnNoSystemEntitlementsException server_data = self.create_system(user, profile_name, release_version, architecture, data) newserv = server_data['server'] system_certificate = newserv.system_id() # Return the server certificate file down to the client. return system_certificate
def auth(self, login, password): add_to_seclist(password) try: self.groups, self.org_id, self.user_id = getUserGroups(login, password) except rhnFault, e: if e.code == 2: # invalid login/password; set timeout to baffle # brute force password guessing attacks (BZ 672163) time.sleep(2) raise
def unsubscribeChannels(self, system_id, channelNames, username, passwd): """ Clients v2+ """ add_to_seclist(passwd) log_debug(3) # Authenticate the system certificate self.auth_system('unsubscribeChannel', system_id) # log the entry log_debug(1, self.server_id, channelNames) for channelName in channelNames: rhnChannel.unsubscribe_channel(self.server_id, channelName, username, passwd) return 0
def auth(self, login, password): add_to_seclist(password) try: self.groups, self.org_id, self.user_id = getUserGroups(login, password) except rhnFault: e = sys.exc_info()[1] if e.code == 2: # invalid login/password; set timeout to baffle # brute force password guessing attacks (BZ 672163) time.sleep(2) raise log_debug(4, "Groups: %s; org_id: %s; user_id: %s" % ( self.groups, self.org_id, self.user_id))
def subscribeChannels(self, system_id, channelNames, username, passwd): """ Clients v2+ """ add_to_seclist(passwd) log_debug(5, system_id, channelNames, username, passwd) # Authenticate the system certificate self.auth_system('subscribeChannel', system_id) # log the entry log_debug(1, self.server_id, channelNames) server_lib.snapshot_server(self.server_id, 'Base Channel Updated') for channelName in channelNames: if NONSUBSCRIBABLE_CHANNELS.search(channelName): raise rhnFault(73, explain=False) else: rhnChannel.subscribe_channel(self.server_id, channelName, username, passwd) return 0
def getUserGroups(login, password): # Authenticates a user and returns the list of groups it belongs # to, and the org id add_to_seclist(password) log_debug(4, login) user = rhnUser.search(login) if not user: log_debug("rhnUser.search failed") raise rhnFault(2) # Check the user's password if not user.check_password(password): log_debug("user.check_password failed") raise rhnFault(2) return getUserGroupsFromUserInstance(user)
def reserve_user(self, username, password): """ Get an username and a password and create a record for this user. Eventually mark it as such. Additionaly this method is used to verify login and password in early stage of rhn_register. Returns true value if user is reserved, otherwise fault is raised. """ add_to_seclist(password) log_debug(1, username) # check user login/password and if not CFG.disallow_user_creation # then reserver the user ret = rhnUser.reserve_user(username, password) log_debug(3, "rhnUser.reserve_user returned: " + str(ret)) if ret < 0: raise rhnFault(3) return ret
def getUserGroups(login, password): # Authenticates a user and returns the list of groups it belongs # to, and the org id add_to_seclist(password) log_debug(4, login) user = rhnUser.search(login) if not user: log_debug("rhnUser.search failed") raise rhnFault(2) # Check the user's password if not user.check_password(password): log_debug("user.check_password failed") raise rhnFault(2) if rhnUser.is_user_disabled(username): msg = _(""" %s Account has been deactivated on this server. Please contact your Org administrator for more help.""") raise rhnFault(1, msg % username, explain=0) return getUserGroupsFromUserInstance(user)
def new_system_user_pass(self, profile_name, os_release_name, version, arch, username, password, other): """ Registers a new system to an org specified by a username, password, and optionally an org id. New for RHEL 5. All args are strings except other. other is a dict with: * org_id - optional. Must be a string that contains the number. If it's not given, the default org is used. * reg_num - optional. It should be an EN. It will not be activated. It's used for automatic subscription to child channels and for deciding which service level to entitle the machine to (managment, provisioning, etc). If not given, the machine will only be registered to a base channel and entitled to the highest level possible. If a profile is created it will return a dict with: * system_id - the same xml as was previously returned * channels - a list of the channels (as strings) the system was subscribed to * failed_channels - a list of channels (as strings) that the system should have been subscribed to but couldn't be because they don't have the necessary entitlements available. Can contain all the channels including the base channel. * system_slots - a list of the system slots used (as strings). * failed_system_slots - a list of system slots (as strings) that they should have used but couldn't because there weren't available entitlements * universal_activation_key - a list of universal default activation keys (as strings) that were used while registering. Allowable slots are 'enterprise_entitled' (management), 'sw_mgr_entitled' (updates), 'monitoring_entitled' (monitoring add on to management), and provisioning_entitled (provisioning add on to management). The call will try to use the highest system slot available. An entry will be added to failed_system_slots for each one that is tried and fails and system_slots will contain the one that succeeded if any. Eg: Calling this on hosted with no reg num and only update entitlements will result in system_slots containing 'sw_mgr_entitled' and failed_system_slots containing 'enterprise_entitled'. If an error occurs which prevents the creation of a profile, a fault will be raised: TODO """ add_to_seclist(password) log_debug(4,'in new_system_user_pass') # release_name wasn't required in the old call, so I'm just going to # add it to other other['release_name'] = os_release_name # Authorize the username and password. Save the returned user object. user = self.validate_system_user(username, password) # This creates the rhnServer record and commits it to the db. # It also assigns the system a base channel. server_data = self.create_system(user, profile_name, version, arch, other) # Save the returned Server object newserv = server_data['server'] # Get the server db id. server_id = newserv.getid() # Get the server certificate file system_certificate = newserv.system_id() log_debug(4, 'Server id created as %s' % server_id) failures = [] unknowns = [] # Build our return values. attempted_channels = [] successful_channels = [] failed_channels = [] actual_channels = rhnChannel.channels_for_server(server_id) for channel in actual_channels: successful_channels.append(channel['label']) # If we don't have any successful channels, we know the base channel # failed. if len(successful_channels) == 0: log_debug(4, 'System %s not subscribed to any channels' % server_id) # Look up the base channel, and store it as a failure. try: base = rhnChannel.get_channel_for_release_arch( version, arch, newserv['org_id']) failed_channels.append(base['label']) # We want to swallow exceptions here as we are just generating data # for the review screen in rhn_register. except: pass # Store any of our child channel failures failed_channels = failed_channels + failures attempted_system_slots = ['enterprise_entitled', 'sw_mgr_entitled'] successful_system_slots = server_lib.check_entitlement(server_id) successful_system_slots = successful_system_slots.keys() failed_system_slots = [] # Check which entitlement level we got, starting with the highest. i = 0 for slot in attempted_system_slots: if slot in successful_system_slots: break i = i + 1 # Any entitlements we didn't have, we'll store as a failure. failed_system_slots = attempted_system_slots[0:i] universal_activation_key = [] if rhnFlags.test("universal_registration_token"): token = rhnFlags.get("universal_registration_token") universal_activation_key = token.get_tokens() return { 'system_id' : system_certificate, 'channels' : successful_channels, 'failed_channels' : failed_channels, 'failed_options' : unknowns, 'system_slots' : successful_system_slots, 'failed_system_slots' : failed_system_slots, 'universal_activation_key' : universal_activation_key }