def setSambaPassword(self, user, object_dn, password):
"""
Set a new samba-password for a user
"""
# Do we have read permissions for the requested attribute
env = Environment.getInstance()
topic = "%s.objects.%s.attributes.%s" % (env.domain, "User", "sambaNTPassword")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "w", base=object_dn):
self.__log.debug("user '%s' has insufficient permissions to write %s on %s, required is %s:%s" % (
user, "isLocked", object_dn, topic, "w"))
raise ACLException(C.make_error('PERMISSION_ACCESS', topic, target=object_dn))
topic = "%s.objects.%s.attributes.%s" % (env.domain, "User", "sambaLMPassword")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "w", base=object_dn):
self.__log.debug("user '%s' has insufficient permissions to write %s on %s, required is %s:%s" % (
user, "isLocked", object_dn, topic, "w"))
raise ACLException(C.make_error('PERMISSION_ACCESS', topic, target=object_dn))
# Set the password and commit the changes
user = ObjectProxy(object_dn)
user.sambaNTPassword = nthash.encrypt(password)
user.sambaLMPassword = lmhash.encrypt(password)
user.commit()
def lockAccountPassword(self, user, object_dn):
"""
Locks the account password for the given DN
"""
# Do we have read permissions for the requested attribute
env = Environment.getInstance()
topic = "%s.objects.%s.attributes.%s" % (env.domain, "User",
"userPassword")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "w", base=object_dn):
self.__log.debug(
"user '%s' has insufficient permissions to write %s on %s, required is %s:%s"
% (user, "isLocked", object_dn, topic, "w"))
raise ACLException(
C.make_error('PERMISSION_ACCESS', topic, target=object_dn))
# Get the object for the given dn
user = ObjectProxy(object_dn)
# Check if there is a userPasswort available and set
if not "userPassword" in user.get_attributes():
raise PasswordException(C.make_error("PASSWORD_NO_ATTRIBUTE"))
if not user.userPassword:
raise PasswordException(C.make_error("PASSWORD_NOT_AVAILABLE"))
# Try to detect the responsible password method-class
pwd_o = self.detect_method_by_hash(user.userPassword)
if not pwd_o:
raise PasswordException(C.make_error("PASSWORD_METHOD_UNKNOWN"))
# Lock the hash and save it
user.userPassword = pwd_o.lock_account(user.userPassword)
user.commit()
def setUserPassword(self, user, object_dn, password):
"""
Set a new password for a user
"""
# Do we have write permissions for the requested attribute
env = Environment.getInstance()
topic = "%s.objects.%s.attributes.%s" % (env.domain, "User",
"userPassword")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "w", base=object_dn):
self.__log.debug(
"user '%s' has insufficient permissions to write %s on %s, required is %s:%s"
% (user, "isLocked", object_dn, topic, "w"))
raise ACLException(
C.make_error('PERMISSION_ACCESS', topic, target=object_dn))
user = ObjectProxy(object_dn)
method = user.passwordMethod
# Try to detect the responsible password method-class
pwd_o = self.get_method_by_method_type(method)
if not pwd_o:
raise PasswordException(
C.make_error("PASSWORD_UNKNOWN_HASH", type=method))
# Generate the new password hash using the detected method
pwd_str = pwd_o.generate_password_hash(password, method)
# Set the password and commit the changes
user.userPassword = pwd_str
user.commit()
def accountUnlockable(self, user, object_dn):
index = PluginRegistry.getInstance("ObjectIndex")
# Do we have read permissions for the requested attribute
env = Environment.getInstance()
topic = "%s.objects.%s.attributes.%s" % (env.domain, "User",
"isLocked")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "r", base=object_dn):
self.__log.debug(
"user '%s' has insufficient permissions to read %s on %s, required is %s:%s"
% (user, "isLocked", object_dn, topic, "r"))
raise ACLException(
C.make_error('PERMISSION_ACCESS', topic, target=object_dn))
res = index.search({
'dn': object_dn,
'userPassword': '******'
}, {'userPassword': 1})
if len(res):
hsh = res[0]['userPassword'][0]
else:
# No password hash -> cannot lock/unlock account
return False
# Try to detect the responsible password method-class
pwd_o = self.detect_method_by_hash(hsh)
if not pwd_o:
# Could not identify password method
return False
return pwd_o.isUnlockable(hsh)
def registerWebhook(self, user, sender_name, mime_type):
topic = "%s.webhook.%s" % (self.env.domain, mime_type)
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "e"):
self.log.debug("user '%s' has insufficient permissions to register webhook for mime-type %s" % (user, mime_type))
raise ACLException(C.make_error('PERMISSION_ACCESS', topic))
# check sender_name syntax
if not self.name_check.match(sender_name):
raise WebhookException(C.make_error('INVALID_WEBHOOK_SENDER_NAME'))
# check mime-type syntax
if not self.mime_type_check.match(mime_type):
raise WebhookException(C.make_error('INVALID_WEBHOOK_MIME_TYPE'))
# check for duplicates
if mime_type not in self.__handlers:
raise WebhookException(C.make_error('NO_REGISTERED_WEBHOOK_HANDLER', mime_type))
path = self.get_path(mime_type, sender_name)
if self.settings.has(path):
raise WebhookException(C.make_error('EXISTING_WEBHOOK_HANDLER', mime_type, name=sender_name))
self.settings.set(path, str(uuid.uuid4()))
return self.getWebhookUrl(), self.settings.get(path)
def getSetting(self, user, path):
topic = "%s.settings.%s" % (self.env.domain, path)
if not self._acl.check(user, topic, "r"):
self.__log.debug("user '%s' has insufficient permissions to read setting in path %s" % (user, path))
raise ACLException(C.make_error('PERMISSION_ACCESS', topic))
handler, param, handler_path = self.__get_path_infos(path)
return handler.get(param)
def __check_acl(self, user_name, object_dn, actions):
# Do we have read permissions for the requested attribute
topic = "%s.objects.%s.attributes.%s" % (self.env.domain, "User",
"twoFactorMethod")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user_name, topic, "r", base=object_dn):
self.__log.debug(
"user '%s' has insufficient permissions for %s on %s, required is %s:%s"
% (user_name, "twoFactorMethod", object_dn, topic, actions))
raise ACLException(
C.make_error('PERMISSION_ACCESS', topic, target=object_dn))
def registerWebhook(self, user, sender_name, content_type):
topic = "%s.webhook.%s" % (self.env.domain, content_type)
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "e"):
self.__log.debug(
"user '%s' has insufficient permissions to register webhook for content type %s"
% (user, content_type))
raise ACLException(C.make_error('PERMISSION_ACCESS', topic))
if content_type not in self.__handlers:
raise WebhookException(
C.make_error('NO_REGISTERED_WEBHOOK_HANDLER', content_type))
if content_type not in self.__hooks:
self.__hooks[content_type] = {}
if sender_name not in self.__hooks[content_type]:
self.__hooks[content_type] = bytes(uuid.uuid4(), 'ascii')
return self.get_webhook_url(), self.__hooks[content_type][sender_name]
def setPasswordRecoveryAnswers(self, user, object_dn, data):
"""
Set the password recovery answers for a user
"""
data = loads(data)
# Do we have read permissions for the requested attribute
env = Environment.getInstance()
topic = "%s.objects.%s.attributes.%s" % (env.domain, "User",
"passwordRecoveryHash")
aclresolver = PluginRegistry.getInstance("ACLResolver")
if not aclresolver.check(user, topic, "w", base=object_dn):
self.__log.debug(
"user '%s' has insufficient permissions to write %s on %s, required is %s:%s"
% (user, "isLocked", object_dn, topic, "w"))
raise ACLException(
C.make_error('PERMISSION_ACCESS', topic, target=object_dn))
user = ObjectProxy(object_dn)
method = user.passwordMethod
# Try to detect the responsible password method-class
pwd_o = self.get_method_by_method_type(method)
if not pwd_o:
raise PasswordException(
C.make_error("PASSWORD_UNKNOWN_HASH", type=method))
# hash the new answers
for idx, answer in data.items():
data[idx] = pwd_o.generate_password_hash(self.clean_string(answer),
method)
print("%s encrypted with %s as index %s => %s" %
(self.clean_string(answer), method, idx, data[idx]))
# Set the password and commit the changes
user.passwordRecoveryHash = dumps(data)
user.commit()