def check_password(self, password):
""" simple check for a password that might become more complex sometime """
good_pwd = str(self.contact["password"])
old_pwd = str(self.contact["old_password"])
if CFG.pam_auth_service:
# a PAM service is defined
# We have to check the user's rhnUserInfo.use_pam_authentication
# XXX Should we create yet another __init_blah function?
# since it's the first time we had to lool at rhnUserInfo,
# I'll assume it's not something to happen very frequently,
# so I'll use a query for now
# - misa
#
h = rhnSQL.prepare("""
select ui.use_pam_authentication
from web_contact w, rhnUserInfo ui
where w.login_uc = UPPER(:login)
and w.id = ui.user_id""")
h.execute(login=self.contact["login"])
data = h.fetchone_dict()
if not data:
# This should not happen
raise rhnException("No entry found for user %s" %
self.contact["login"])
if data['use_pam_authentication'] == 'Y':
# use PAM
import rhnAuthPAM
return rhnAuthPAM.check_password(self.contact["login"],
password, CFG.pam_auth_service)
# If the entry in rhnUserInfo is 'N', perform regular
# authentication
return check_password(password, good_pwd, old_pwd)
def __reserve_user_db(user, password):
encrypted_password = CFG.encrypted_passwords
log_debug(3, user, CFG.disallow_user_creation, encrypted_password, CFG.pam_auth_service)
user = str(user)
h = rhnSQL.prepare("""
select w.id, w.password, w.old_password, w.org_id, ui.use_pam_authentication
from web_contact w, rhnUserInfo ui
where w.login_uc = upper(:p1)
and w.id = ui.user_id
""")
h.execute(p1=user)
data = h.fetchone_dict()
if data and data["id"]:
# contact exists, check password
if data['use_pam_authentication'] == 'Y' and CFG.pam_auth_service:
# We use PAM for authentication
import rhnAuthPAM
if rhnAuthPAM.check_password(user, password, CFG.pam_auth_service) > 0:
return 1
return -1
if check_password(password, data['password'], data['old_password']) > 0:
return 1
return -1
# user doesn't exist. now we fail, instead of reserving user.
if CFG.disallow_user_creation:
raise rhnFault(2001)
# now check the reserved table
h = rhnSQL.prepare("""
select r.login, r.password from rhnUserReserved r
where r.login_uc = upper(:p1)
""")
h.execute(p1=user)
data = h.fetchone_dict()
if data and data["login"]:
# found already reserved
if check_password(password, data["password"], None) > 0:
return 1
return -2
validate_new_username(user)
log_debug(3, "calling validate_new_password" )
validate_new_password(password)
# this is not reserved either, register it
if encrypted_password:
# Encrypt the password, let the function pick the salt
password = encrypt_password(password)
h = rhnSQL.prepare("""
insert into rhnUserReserved (login, password)
values (:username, :password)
""")
h.execute(username=user, password=password)
rhnSQL.commit()
# all should be dandy
return 0
def __new_user_db(username, password, email, org_id, org_password):
encrypted_password = CFG.encrypted_passwords
log_debug(3, username, email, encrypted_password)
# now search it in the database
h = rhnSQL.prepare("""
select w.id, w.password, ui.use_pam_authentication
from web_contact w, rhnUserInfo ui
where w.login_uc = upper(:username)
and w.id = ui.user_id
""")
h.execute(username=username)
data = h.fetchone_dict()
pre_existing_user = 0
if not data:
# the username is not there, check the reserved user table
h = rhnSQL.prepare("""
select login, password from rhnUserReserved
where login_uc = upper(:username)
""")
h.execute(username=username)
data = h.fetchone_dict()
if not data: # nope, not reserved either
raise rhnFault(1,
_("Username `%s' has not been reserved") % username)
else:
pre_existing_user = 1
if not pre_existing_user and not email:
# New accounts have to specify an e-mail address
raise rhnFault(30, _("E-mail address not specified"))
# we have to perform PAM authentication if data has a field called
# 'use_pam_authentication' and its value is 'Y', and we do have a PAM
# service set in the config file.
# Note that if the user is only reserved we don't do PAM authentication
if data.get('use_pam_authentication') == 'Y' and CFG.pam_auth_service:
# Check the password with PAM
import rhnAuthPAM
if rhnAuthPAM.check_password(username, password,
CFG.pam_auth_service) <= 0:
# Bad password
raise rhnFault(2)
# We don't care about the password anymore, replace it with something
import time
password = '******' % time.time()
else:
# Regular authentication
if check_password(password, data["password"]) == 0:
# Bad password
raise rhnFault(2)
# creation of user was never supported in spacewalk but this call was mis-used
# to check username/password in the past
# so let's skip other checks and return now
return 0
def __new_user_db(username, password, email, org_id, org_password):
encrypted_password = CFG.encrypted_passwords
log_debug(3, username, email, encrypted_password)
# now search it in the database
h = rhnSQL.prepare("""
select w.id, w.password, ui.use_pam_authentication
from web_contact w, rhnUserInfo ui
where w.login_uc = upper(:username)
and w.id = ui.user_id
""")
h.execute(username=username)
data = h.fetchone_dict()
pre_existing_user = 0
if not data:
# the username is not there, check the reserved user table
h = rhnSQL.prepare("""
select login, password from rhnUserReserved
where login_uc = upper(:username)
""")
h.execute(username=username)
data = h.fetchone_dict()
if not data: # nope, not reserved either
raise rhnFault(1, _("Username `%s' has not been reserved") % username)
else:
pre_existing_user = 1
if not pre_existing_user and not email:
# New accounts have to specify an e-mail address
raise rhnFault(30, _("E-mail address not specified"))
# we have to perform PAM authentication if data has a field called
# 'use_pam_authentication' and its value is 'Y', and we do have a PAM
# service set in the config file.
# Note that if the user is only reserved we don't do PAM authentication
if data.get('use_pam_authentication') == 'Y' and CFG.pam_auth_service:
# Check the password with PAM
import rhnAuthPAM
if rhnAuthPAM.check_password(username, password, CFG.pam_auth_service) <= 0:
# Bad password
raise rhnFault(2)
# We don't care about the password anymore, replace it with something
import time
password = '******' % time.time()
else:
# Regular authentication
if check_password(password, data["password"]) == 0:
# Bad password
raise rhnFault(2)
# creation of user was never supported in spacewalk but this call was mis-used
# to check username/password in the past
# so let's skip other checks and return now
return 0
def check_password(self, password, allow_read_only=False):
""" simple check for a password that might become more complex sometime """
if not allow_read_only and is_user_read_only(self.contact["login"]):
raise rhnFault(702)
good_pwd = str(self.contact["password"])
if CFG.pam_auth_service:
# a PAM service is defined
# We have to check the user's rhnUserInfo.use_pam_authentication
# XXX Should we create yet another __init_blah function?
# since it's the first time we had to lool at rhnUserInfo,
# I'll assume it's not something to happen very frequently,
# so I'll use a query for now
# - misa
#
h = rhnSQL.prepare("""
select ui.use_pam_authentication
from web_contact w, rhnUserInfo ui
where w.login_uc = UPPER(:login)
and w.id = ui.user_id""")
h.execute(login=self.contact["login"])
data = h.fetchone_dict()
if not data:
# This should not happen
raise rhnException("No entry found for user %s" %
self.contact["login"])
if data['use_pam_authentication'] == 'Y':
# use PAM
import rhnAuthPAM
return rhnAuthPAM.check_password(self.contact["login"],
password,
CFG.pam_auth_service)
# If the entry in rhnUserInfo is 'N', perform regular authentication
ret = check_password(password, good_pwd)
if ret and CFG.encrypted_passwords and self.contact['password'].find(
'$1$') == 0:
# If successfully authenticated and the current password is
# MD5 encoded, convert the password to SHA-256 and save it in the DB.
self.contact['password'] = encrypt_password(password)
self.contact.save()
rhnSQL.commit()
return ret
def check_password(self, password, allow_read_only=False):
""" simple check for a password that might become more complex sometime """
if not allow_read_only and is_user_read_only(self.contact["login"]):
raise rhnFault(702)
good_pwd = str(self.contact["password"])
if CFG.pam_auth_service:
# a PAM service is defined
# We have to check the user's rhnUserInfo.use_pam_authentication
# XXX Should we create yet another __init_blah function?
# since it's the first time we had to lool at rhnUserInfo,
# I'll assume it's not something to happen very frequently,
# so I'll use a query for now
# - misa
#
h = rhnSQL.prepare(
"""
select ui.use_pam_authentication
from web_contact w, rhnUserInfo ui
where w.login_uc = UPPER(:login)
and w.id = ui.user_id"""
)
h.execute(login=self.contact["login"])
data = h.fetchone_dict()
if not data:
# This should not happen
raise rhnException("No entry found for user %s" % self.contact["login"])
if data["use_pam_authentication"] == "Y":
# use PAM
import rhnAuthPAM
return rhnAuthPAM.check_password(self.contact["login"], password, CFG.pam_auth_service)
# If the entry in rhnUserInfo is 'N', perform regular authentication
ret = check_password(password, good_pwd)
if ret and CFG.encrypted_passwords and self.contact["password"].find("$1$") == 0:
# If successfully authenticated and the current password is
# MD5 encoded, convert the password to SHA-256 and save it in the DB.
self.contact["password"] = encrypt_password(password)
self.contact.save()
rhnSQL.commit()
return ret
def __reserve_user_db(user, password):
encrypted_password = CFG.encrypted_passwords
log_debug(3, user, CFG.disallow_user_creation, encrypted_password,
CFG.pam_auth_service)
user = str(user)
h = rhnSQL.prepare("""
select w.id, w.password, w.org_id, ui.use_pam_authentication
from web_contact w, rhnUserInfo ui
where w.login_uc = upper(:p1)
and w.id = ui.user_id
""")
h.execute(p1=user)
data = h.fetchone_dict()
if data and data["id"]:
# contact exists, check password
if data['use_pam_authentication'] == 'Y' and CFG.pam_auth_service:
# We use PAM for authentication
import rhnAuthPAM
if rhnAuthPAM.check_password(user, password,
CFG.pam_auth_service) > 0:
return 1
return -1
if check_password(password, data['password']) > 0:
return 1
return -1
# user doesn't exist. now we fail, instead of reserving user.
if CFG.disallow_user_creation:
raise rhnFault(2001)
user, password = check_user_password(user, password)
# now check the reserved table
h = rhnSQL.prepare("""
select r.login, r.password from rhnUserReserved r
where r.login_uc = upper(:p1)
""")
h.execute(p1=user)
data = h.fetchone_dict()
if data and data["login"]:
# found already reserved
if check_password(password, data["password"]) > 0:
return 1
return -2
validate_new_username(user)
log_debug(3, "calling validate_new_password")
validate_new_password(password)
# this is not reserved either, register it
if encrypted_password:
# Encrypt the password, let the function pick the salt
password = encrypt_password(password)
h = rhnSQL.prepare("""
insert into rhnUserReserved (login, password)
values (:username, :password)
""")
h.execute(username=user, password=password)
rhnSQL.commit()
# all should be dandy
return 0
def __new_user_db(username, password, email, org_id, org_password):
encrypted_password = CFG.encrypted_passwords
log_debug(3, username, email, encrypted_password)
# now search it in the database
h = rhnSQL.prepare("""
select w.id, w.password, w.old_password, ui.use_pam_authentication
from web_contact w, rhnUserInfo ui
where w.login_uc = upper(:username)
and w.id = ui.user_id
""")
h.execute(username=username)
data = h.fetchone_dict()
pre_existing_user = 0
if not data:
# the username is not there, check the reserved user table
h = rhnSQL.prepare("""
select login, password, password old_password from rhnUserReserved
where login_uc = upper(:username)
""")
h.execute(username=username)
data = h.fetchone_dict()
if not data: # nope, not reserved either
raise rhnFault(1, _("Username `%s' has not been reserved") % username)
else:
pre_existing_user = 1
if not pre_existing_user and not email:
# New accounts have to specify an e-mail address
raise rhnFault(30, _("E-mail address not specified"))
# we have to perform PAM authentication if data has a field called
# 'use_pam_authentication' and its value is 'Y', and we do have a PAM
# service set in the config file.
# Note that if the user is only reserved we don't do PAM authentication
if data.get('use_pam_authentication') == 'Y' and CFG.pam_auth_service:
# Check the password with PAM
import rhnAuthPAM
if rhnAuthPAM.check_password(username, password, CFG.pam_auth_service) <= 0:
# Bad password
raise rhnFault(2)
# We don't care about the password anymore, replace it with something
import time
password = '******' % time.time()
else:
# Regular authentication
if check_password(password, data["password"], data["old_password"]) == 0:
# Bad password
raise rhnFault(2)
# From this point on, the password may be encrypted
if encrypted_password:
password = encrypt_password(password)
is_real = 0
# the password matches, do we need to create a new entry?
if not data.has_key("id"):
user = User(username, password)
else: # we have to reload this entry into a User structure
user = User(username, password)
if not user.reload(data["id"]) == 0:
# something horked during reloading entry from database
# we can not really say that the entry does not exist...
raise rhnFault(10)
is_real = 1
# now we have user reloaded, check for updated email
if email:
# don't update the user's email address in the satellite context...
# we *must* in the live context, but user creation through up2date --register
# is disallowed in the satellite context anyway...
if not pre_existing_user:
user.set_info("email", email)
# XXX This should go away eventually
if org_id and org_password: # check out this org
h = rhnSQL.prepare("""
select id, password from web_customer
where id = :org_id
""")
h.execute(org_id=str(org_id))
data = h.fetchone_dict()
if not data: # wrong organization
raise rhnFault(2, _("Invalid Organization Credentials"))
# The org password is not encrypted, easy comparison
if string.lower(org_password) != string.lower(data["password"]):
# Invalid org password
raise rhnFault(2, _("Invalid Organization Credentials"))
if is_real: # this is a real entry, don't clobber the org_id
old_org_id = user.contact["org_id"]
new_org_id = data["id"]
if old_org_id != new_org_id:
raise rhnFault(42,
_("User `%s' not a member of organization %s") %
(username, org_id))
else: # new user, set its org
user.set_org_id(data["id"])
# force the save if this is a new entry
ret = user.save()
if not ret == 0:
raise rhnFault(5)
# check if we need to remove the reservation
if not data.has_key("id"):
# remove reservation
h = rhnSQL.prepare("""
delete from rhnUserReserved where login_uc = upper(:username)
""")
h.execute(username=username)
return 0
