def check_password(self, password): """ simple check for a password that might become more complex sometime """ good_pwd = str(self.contact["password"]) old_pwd = str(self.contact["old_password"]) if CFG.pam_auth_service: # a PAM service is defined # We have to check the user's rhnUserInfo.use_pam_authentication # XXX Should we create yet another __init_blah function? # since it's the first time we had to lool at rhnUserInfo, # I'll assume it's not something to happen very frequently, # so I'll use a query for now # - misa # h = rhnSQL.prepare(""" select ui.use_pam_authentication from web_contact w, rhnUserInfo ui where w.login_uc = UPPER(:login) and w.id = ui.user_id""") h.execute(login=self.contact["login"]) data = h.fetchone_dict() if not data: # This should not happen raise rhnException("No entry found for user %s" % self.contact["login"]) if data['use_pam_authentication'] == 'Y': # use PAM import rhnAuthPAM return rhnAuthPAM.check_password(self.contact["login"], password, CFG.pam_auth_service) # If the entry in rhnUserInfo is 'N', perform regular # authentication return check_password(password, good_pwd, old_pwd)
def __reserve_user_db(user, password): encrypted_password = CFG.encrypted_passwords log_debug(3, user, CFG.disallow_user_creation, encrypted_password, CFG.pam_auth_service) user = str(user) h = rhnSQL.prepare(""" select w.id, w.password, w.old_password, w.org_id, ui.use_pam_authentication from web_contact w, rhnUserInfo ui where w.login_uc = upper(:p1) and w.id = ui.user_id """) h.execute(p1=user) data = h.fetchone_dict() if data and data["id"]: # contact exists, check password if data['use_pam_authentication'] == 'Y' and CFG.pam_auth_service: # We use PAM for authentication import rhnAuthPAM if rhnAuthPAM.check_password(user, password, CFG.pam_auth_service) > 0: return 1 return -1 if check_password(password, data['password'], data['old_password']) > 0: return 1 return -1 # user doesn't exist. now we fail, instead of reserving user. if CFG.disallow_user_creation: raise rhnFault(2001) # now check the reserved table h = rhnSQL.prepare(""" select r.login, r.password from rhnUserReserved r where r.login_uc = upper(:p1) """) h.execute(p1=user) data = h.fetchone_dict() if data and data["login"]: # found already reserved if check_password(password, data["password"], None) > 0: return 1 return -2 validate_new_username(user) log_debug(3, "calling validate_new_password" ) validate_new_password(password) # this is not reserved either, register it if encrypted_password: # Encrypt the password, let the function pick the salt password = encrypt_password(password) h = rhnSQL.prepare(""" insert into rhnUserReserved (login, password) values (:username, :password) """) h.execute(username=user, password=password) rhnSQL.commit() # all should be dandy return 0
def __new_user_db(username, password, email, org_id, org_password): encrypted_password = CFG.encrypted_passwords log_debug(3, username, email, encrypted_password) # now search it in the database h = rhnSQL.prepare(""" select w.id, w.password, ui.use_pam_authentication from web_contact w, rhnUserInfo ui where w.login_uc = upper(:username) and w.id = ui.user_id """) h.execute(username=username) data = h.fetchone_dict() pre_existing_user = 0 if not data: # the username is not there, check the reserved user table h = rhnSQL.prepare(""" select login, password from rhnUserReserved where login_uc = upper(:username) """) h.execute(username=username) data = h.fetchone_dict() if not data: # nope, not reserved either raise rhnFault(1, _("Username `%s' has not been reserved") % username) else: pre_existing_user = 1 if not pre_existing_user and not email: # New accounts have to specify an e-mail address raise rhnFault(30, _("E-mail address not specified")) # we have to perform PAM authentication if data has a field called # 'use_pam_authentication' and its value is 'Y', and we do have a PAM # service set in the config file. # Note that if the user is only reserved we don't do PAM authentication if data.get('use_pam_authentication') == 'Y' and CFG.pam_auth_service: # Check the password with PAM import rhnAuthPAM if rhnAuthPAM.check_password(username, password, CFG.pam_auth_service) <= 0: # Bad password raise rhnFault(2) # We don't care about the password anymore, replace it with something import time password = '******' % time.time() else: # Regular authentication if check_password(password, data["password"]) == 0: # Bad password raise rhnFault(2) # creation of user was never supported in spacewalk but this call was mis-used # to check username/password in the past # so let's skip other checks and return now return 0
def __new_user_db(username, password, email, org_id, org_password): encrypted_password = CFG.encrypted_passwords log_debug(3, username, email, encrypted_password) # now search it in the database h = rhnSQL.prepare(""" select w.id, w.password, ui.use_pam_authentication from web_contact w, rhnUserInfo ui where w.login_uc = upper(:username) and w.id = ui.user_id """) h.execute(username=username) data = h.fetchone_dict() pre_existing_user = 0 if not data: # the username is not there, check the reserved user table h = rhnSQL.prepare(""" select login, password from rhnUserReserved where login_uc = upper(:username) """) h.execute(username=username) data = h.fetchone_dict() if not data: # nope, not reserved either raise rhnFault(1, _("Username `%s' has not been reserved") % username) else: pre_existing_user = 1 if not pre_existing_user and not email: # New accounts have to specify an e-mail address raise rhnFault(30, _("E-mail address not specified")) # we have to perform PAM authentication if data has a field called # 'use_pam_authentication' and its value is 'Y', and we do have a PAM # service set in the config file. # Note that if the user is only reserved we don't do PAM authentication if data.get('use_pam_authentication') == 'Y' and CFG.pam_auth_service: # Check the password with PAM import rhnAuthPAM if rhnAuthPAM.check_password(username, password, CFG.pam_auth_service) <= 0: # Bad password raise rhnFault(2) # We don't care about the password anymore, replace it with something import time password = '******' % time.time() else: # Regular authentication if check_password(password, data["password"]) == 0: # Bad password raise rhnFault(2) # creation of user was never supported in spacewalk but this call was mis-used # to check username/password in the past # so let's skip other checks and return now return 0
def check_password(self, password, allow_read_only=False): """ simple check for a password that might become more complex sometime """ if not allow_read_only and is_user_read_only(self.contact["login"]): raise rhnFault(702) good_pwd = str(self.contact["password"]) if CFG.pam_auth_service: # a PAM service is defined # We have to check the user's rhnUserInfo.use_pam_authentication # XXX Should we create yet another __init_blah function? # since it's the first time we had to lool at rhnUserInfo, # I'll assume it's not something to happen very frequently, # so I'll use a query for now # - misa # h = rhnSQL.prepare(""" select ui.use_pam_authentication from web_contact w, rhnUserInfo ui where w.login_uc = UPPER(:login) and w.id = ui.user_id""") h.execute(login=self.contact["login"]) data = h.fetchone_dict() if not data: # This should not happen raise rhnException("No entry found for user %s" % self.contact["login"]) if data['use_pam_authentication'] == 'Y': # use PAM import rhnAuthPAM return rhnAuthPAM.check_password(self.contact["login"], password, CFG.pam_auth_service) # If the entry in rhnUserInfo is 'N', perform regular authentication ret = check_password(password, good_pwd) if ret and CFG.encrypted_passwords and self.contact['password'].find( '$1$') == 0: # If successfully authenticated and the current password is # MD5 encoded, convert the password to SHA-256 and save it in the DB. self.contact['password'] = encrypt_password(password) self.contact.save() rhnSQL.commit() return ret
def check_password(self, password, allow_read_only=False): """ simple check for a password that might become more complex sometime """ if not allow_read_only and is_user_read_only(self.contact["login"]): raise rhnFault(702) good_pwd = str(self.contact["password"]) if CFG.pam_auth_service: # a PAM service is defined # We have to check the user's rhnUserInfo.use_pam_authentication # XXX Should we create yet another __init_blah function? # since it's the first time we had to lool at rhnUserInfo, # I'll assume it's not something to happen very frequently, # so I'll use a query for now # - misa # h = rhnSQL.prepare( """ select ui.use_pam_authentication from web_contact w, rhnUserInfo ui where w.login_uc = UPPER(:login) and w.id = ui.user_id""" ) h.execute(login=self.contact["login"]) data = h.fetchone_dict() if not data: # This should not happen raise rhnException("No entry found for user %s" % self.contact["login"]) if data["use_pam_authentication"] == "Y": # use PAM import rhnAuthPAM return rhnAuthPAM.check_password(self.contact["login"], password, CFG.pam_auth_service) # If the entry in rhnUserInfo is 'N', perform regular authentication ret = check_password(password, good_pwd) if ret and CFG.encrypted_passwords and self.contact["password"].find("$1$") == 0: # If successfully authenticated and the current password is # MD5 encoded, convert the password to SHA-256 and save it in the DB. self.contact["password"] = encrypt_password(password) self.contact.save() rhnSQL.commit() return ret
def __reserve_user_db(user, password): encrypted_password = CFG.encrypted_passwords log_debug(3, user, CFG.disallow_user_creation, encrypted_password, CFG.pam_auth_service) user = str(user) h = rhnSQL.prepare(""" select w.id, w.password, w.org_id, ui.use_pam_authentication from web_contact w, rhnUserInfo ui where w.login_uc = upper(:p1) and w.id = ui.user_id """) h.execute(p1=user) data = h.fetchone_dict() if data and data["id"]: # contact exists, check password if data['use_pam_authentication'] == 'Y' and CFG.pam_auth_service: # We use PAM for authentication import rhnAuthPAM if rhnAuthPAM.check_password(user, password, CFG.pam_auth_service) > 0: return 1 return -1 if check_password(password, data['password']) > 0: return 1 return -1 # user doesn't exist. now we fail, instead of reserving user. if CFG.disallow_user_creation: raise rhnFault(2001) user, password = check_user_password(user, password) # now check the reserved table h = rhnSQL.prepare(""" select r.login, r.password from rhnUserReserved r where r.login_uc = upper(:p1) """) h.execute(p1=user) data = h.fetchone_dict() if data and data["login"]: # found already reserved if check_password(password, data["password"]) > 0: return 1 return -2 validate_new_username(user) log_debug(3, "calling validate_new_password") validate_new_password(password) # this is not reserved either, register it if encrypted_password: # Encrypt the password, let the function pick the salt password = encrypt_password(password) h = rhnSQL.prepare(""" insert into rhnUserReserved (login, password) values (:username, :password) """) h.execute(username=user, password=password) rhnSQL.commit() # all should be dandy return 0
def __new_user_db(username, password, email, org_id, org_password): encrypted_password = CFG.encrypted_passwords log_debug(3, username, email, encrypted_password) # now search it in the database h = rhnSQL.prepare(""" select w.id, w.password, w.old_password, ui.use_pam_authentication from web_contact w, rhnUserInfo ui where w.login_uc = upper(:username) and w.id = ui.user_id """) h.execute(username=username) data = h.fetchone_dict() pre_existing_user = 0 if not data: # the username is not there, check the reserved user table h = rhnSQL.prepare(""" select login, password, password old_password from rhnUserReserved where login_uc = upper(:username) """) h.execute(username=username) data = h.fetchone_dict() if not data: # nope, not reserved either raise rhnFault(1, _("Username `%s' has not been reserved") % username) else: pre_existing_user = 1 if not pre_existing_user and not email: # New accounts have to specify an e-mail address raise rhnFault(30, _("E-mail address not specified")) # we have to perform PAM authentication if data has a field called # 'use_pam_authentication' and its value is 'Y', and we do have a PAM # service set in the config file. # Note that if the user is only reserved we don't do PAM authentication if data.get('use_pam_authentication') == 'Y' and CFG.pam_auth_service: # Check the password with PAM import rhnAuthPAM if rhnAuthPAM.check_password(username, password, CFG.pam_auth_service) <= 0: # Bad password raise rhnFault(2) # We don't care about the password anymore, replace it with something import time password = '******' % time.time() else: # Regular authentication if check_password(password, data["password"], data["old_password"]) == 0: # Bad password raise rhnFault(2) # From this point on, the password may be encrypted if encrypted_password: password = encrypt_password(password) is_real = 0 # the password matches, do we need to create a new entry? if not data.has_key("id"): user = User(username, password) else: # we have to reload this entry into a User structure user = User(username, password) if not user.reload(data["id"]) == 0: # something horked during reloading entry from database # we can not really say that the entry does not exist... raise rhnFault(10) is_real = 1 # now we have user reloaded, check for updated email if email: # don't update the user's email address in the satellite context... # we *must* in the live context, but user creation through up2date --register # is disallowed in the satellite context anyway... if not pre_existing_user: user.set_info("email", email) # XXX This should go away eventually if org_id and org_password: # check out this org h = rhnSQL.prepare(""" select id, password from web_customer where id = :org_id """) h.execute(org_id=str(org_id)) data = h.fetchone_dict() if not data: # wrong organization raise rhnFault(2, _("Invalid Organization Credentials")) # The org password is not encrypted, easy comparison if string.lower(org_password) != string.lower(data["password"]): # Invalid org password raise rhnFault(2, _("Invalid Organization Credentials")) if is_real: # this is a real entry, don't clobber the org_id old_org_id = user.contact["org_id"] new_org_id = data["id"] if old_org_id != new_org_id: raise rhnFault(42, _("User `%s' not a member of organization %s") % (username, org_id)) else: # new user, set its org user.set_org_id(data["id"]) # force the save if this is a new entry ret = user.save() if not ret == 0: raise rhnFault(5) # check if we need to remove the reservation if not data.has_key("id"): # remove reservation h = rhnSQL.prepare(""" delete from rhnUserReserved where login_uc = upper(:username) """) h.execute(username=username) return 0