def list_users_by_cert(self, cert):
"""
Look for users matching the cert.
Call Users.ListByCertificate interface and return a dict
with key = domain, value = list of uids
corresponding to the users matching the provided cert
:param cert: DER cert, Certificate instances (IPACertificate)
:raise RemoteRetrieveError: if DBus error occurs
"""
if isinstance(cert, crypto_x509.Certificate):
cert_pem = cert.public_bytes(x509.Encoding.PEM)
else:
cert_obj = x509.load_der_x509_certificate(cert)
cert_pem = cert_obj.public_bytes(x509.Encoding.PEM)
try:
# bug 3306 in sssd returns 0 entry when max_entries = 0
# Temp workaround is to use a non-null value, not too high
# to avoid reserving unneeded memory
max_entries = dbus.UInt32(100)
user_paths = self._users_iface.ListByCertificate(
cert_pem, max_entries)
users = dict()
for user_path in user_paths:
user_obj = self._bus.get_object(DBUS_SSSD_NAME, user_path)
user_iface = dbus.Interface(user_obj, DBUS_PROPERTY_IF)
user_login = user_iface.Get(DBUS_SSSD_USER_IF, 'name')
# Extract name@domain
items = user_login.split('@')
domain = api.env.realm if len(items) < 2 else items[1]
name = items[0]
# Retrieve the list of users for the given domain,
# or initialize to an empty list
# and add the name
users_for_dom = users.setdefault(domain, list())
users_for_dom.append(name)
return users
except dbus.DBusException as e:
err_name = e.get_dbus_name()
# If there is no matching user, do not consider this as an
# exception and return an empty list
if err_name == 'org.freedesktop.sssd.Error.NotFound':
return dict()
logger.error(
'Failed to use interface %s. DBus '
'exception is %s.', DBUS_SSSD_USERS_IF, e)
raise errors.RemoteRetrieveError(
reason=_('Failed to find users over SystemBus. '
' See details in the error_log'))
def assess_dcerpc_exception(num=None, message=None):
"""
Takes error returned by Samba bindings and converts it into
an IPA error class.
"""
if num and num in dcerpc_error_codes:
return dcerpc_error_codes[num]
if message and message in dcerpc_error_messages:
return dcerpc_error_messages[message]
reason = _('''CIFS server communication error: code "%(num)s",
message "%(message)s" (both may be "None")''') % dict(
num=num, message=message)
return errors.RemoteRetrieveError(reason=reason)
def get_ca_certchain(ca_host=None):
"""
Retrieve the CA Certificate chain from the configured Dogtag server.
"""
if ca_host is None:
ca_host = api.env.ca_host
chain = None
conn = httplib.HTTPConnection(
ca_host, api.env.ca_install_port
or configured_constants().UNSECURE_PORT)
conn.request("GET", "/ca/ee/ca/getCertChain")
res = conn.getresponse()
doc = None
if res.status == 200:
data = res.read()
conn.close()
try:
doc = xml.dom.minidom.parseString(data)
try:
item_node = doc.getElementsByTagName("ChainBase64")
chain = item_node[0].childNodes[0].data
except IndexError:
try:
item_node = doc.getElementsByTagName("Error")
reason = item_node[0].childNodes[0].data
raise errors.RemoteRetrieveError(reason=reason)
except Exception, e:
raise errors.RemoteRetrieveError(
reason=_("Retrieving CA cert chain failed: %s") % e)
finally:
if doc:
doc.unlink()
else:
raise errors.RemoteRetrieveError(
reason=_("request failed with HTTP status %d") % res.status)
return chain
def ca_status(ca_host=None):
"""Return the status of the CA, and the httpd proxy in front of it
The returned status can be:
- running
- starting
- Service Temporarily Unavailable
"""
if ca_host is None:
ca_host = api.env.ca_host
status, _headers, body = http_request(ca_host, 8080,
'/ca/admin/ca/getStatus')
if status == 503:
# Service temporarily unavailable
return status
elif status != 200:
raise errors.RemoteRetrieveError(
reason=_("Retrieving CA status failed with status %d") % status)
return _parse_ca_status(body)
def __init__(self):
"""
Initialize the Users object and interface.
:raise RemoteRetrieveError: if DBus error occurs
"""
try:
self._bus = dbus.SystemBus()
self._users_obj = self._bus.get_object(DBUS_SSSD_NAME,
DBUS_SSSD_USERS_PATH)
self._users_iface = dbus.Interface(self._users_obj,
DBUS_SSSD_USERS_IF)
except dbus.DBusException as e:
logger.error(
'Failed to initialize DBus interface %s. DBus '
'exception is %s.', DBUS_SSSD_USERS_IF, e)
raise errors.RemoteRetrieveError(
reason=_('Failed to connect to sssd over SystemBus. '
'See details in the error_log'))
def ca_status(ca_host=None, use_proxy=True):
"""Return the status of the CA, and the httpd proxy in front of it
The returned status can be:
- running
- starting
- Service Temporarily Unavailable
"""
if ca_host is None:
ca_host = api.env.ca_host
if use_proxy:
# Use port 443 to test the proxy as well
ca_port = 443
else:
ca_port = 8443
status, headers, body = unauthenticated_https_request(
ca_host, ca_port, '/ca/admin/ca/getStatus')
if status == 503:
# Service temporarily unavailable
return status
elif status != 200:
raise errors.RemoteRetrieveError(
reason=_("Retrieving CA status failed with status %d") % status)
return _parse_ca_status(body)
def get_ca_certchain(ca_host=None):
"""
Retrieve the CA Certificate chain from the configured Dogtag server.
"""
if ca_host is None:
ca_host = api.env.ca_host
chain = None
conn = httplib.HTTPConnection(
ca_host,
api.env.ca_install_port or 8080)
conn.request("GET", "/ca/ee/ca/getCertChain")
res = conn.getresponse()
doc = None
if res.status == 200:
data = res.read()
conn.close()
try:
doc = json.loads(data)
chain = doc['Response']['ChainBase64']
except (json.JSONDecodeError, KeyError):
logger.debug("Response is not valid JSON, try XML")
doc = xml.dom.minidom.parseString(data)
try:
item_node = doc.getElementsByTagName("ChainBase64")
chain = item_node[0].childNodes[0].data
except IndexError:
raise error_from_xml(
doc, _("Retrieving CA cert chain failed: %s"))
finally:
if doc:
doc.unlink()
else:
raise errors.RemoteRetrieveError(
reason=_("request failed with HTTP status %d") % res.status)
return chain
from ipaserver.ipaldap import IPAdmin
from ipalib.session import krbccache_dir, krbccache_prefix
from ipapython import dnsclient
__doc__ = _("""
Classes to manage trust joins using DCE-RPC calls
The code in this module relies heavily on samba4-python package
and Samba4 python bindings.
""")
access_denied_error = errors.ACIError(
info=_('CIFS server denied your credentials'))
dcerpc_error_codes = {
-1073741823:
errors.RemoteRetrieveError(
reason=_('communication with CIFS server was unsuccessful')),
-1073741790:
access_denied_error,
-1073741715:
access_denied_error,
-1073741614:
access_denied_error,
-1073741603:
errors.ValidationError(name=_('AD domain controller'),
error=_('unsupported functional level')),
}
dcerpc_error_messages = {
"NT_STATUS_OBJECT_NAME_NOT_FOUND":
errors.NotFound(reason=_('Cannot find specified domain or server name')),
"NT_STATUS_INVALID_PARAMETER_MIX":
