????

Your IP : 18.226.248.17


Current Path : /proc/self/root/usr/lib/python3.6/site-packages/authselect/
Upload File :
Current File : //proc/self/root/usr/lib/python3.6/site-packages/authselect/authcompat.py

#!/usr/libexec/platform-python
# -*- coding: utf-8 -*-
#
#    Authors:
#        Pavel Březina <pbrezina@redhat.com>
#
#    Copyright (C) 2018 Red Hat
#
#    This program is free software; you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation; either version 3 of the License, or
#    (at your option) any later version.
#
#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.
#
#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

import os
import sys
import locale
import gettext
import subprocess


from authcompat_Options import Options
from authcompat_EnvironmentFile import EnvironmentFile
from authcompat_ConfigSnippet import ConfigSnippet

_ = gettext.gettext


def eprint(*args, **kwargs):
    print(*args, file=sys.stderr, **kwargs)


class Command:
    TEST = False

    def __init__(self, command, args, input=None, check=True):
        self.args = [command] + args
        self.input = input.encode() if input is not None else None
        self.check = check
        self.result = None

    def run(self):
        print(_("Executing: %s") % ' '.join(self.args))

        if self.TEST:
            return

        self.result = subprocess.run(self.args, check=self.check,
                                     input=self.input,
                                     stdout=subprocess.PIPE,
                                     stderr=subprocess.PIPE)


class Service:
    def __init__(self, name):
        self.name = name + '.service'

    def runsystemd(self, command, required, enoent_code):
        try:
            command.run()
        except subprocess.CalledProcessError as result:
            if required and result.returncode == enoent_code:
                eprint(_("Service %s was not found. Please install the service.")
                       % self.name)
            elif result.returncode != enoent_code:
                eprint(_("Command [%s] failed with %d, stderr:")
                       % (' '.join(result.cmd), result.returncode))
                eprint(result.stderr.decode())

    def enable(self):
        cmd = Command(Path.System("cmd-systemctl"), ["enable", self.name])
        self.runsystemd(cmd, True, 1)

    def disable(self):
        cmd = Command(Path.System("cmd-systemctl"), ["disable", self.name])
        self.runsystemd(cmd, False, 1)

    def start(self, Restart=True):
        if Restart:
            self.stop()
        cmd = Command(Path.System("cmd-systemctl"), ["start", self.name])
        self.runsystemd(cmd, True, 5)

    def stop(self):
        cmd = Command(Path.System("cmd-systemctl"), ["stop", self.name])
        self.runsystemd(cmd, False, 5)


class Path:
    LocalDir = os.path.dirname(os.path.realpath(__file__))
    Config = EnvironmentFile(LocalDir + "/authcompat_paths")

    Files = {
        'ldap.conf': '/etc/openldap/ldap.conf',
        'krb5.conf': '/etc/krb5.conf.d/authconfig-krb.conf',
        'sssd.conf': '/etc/sssd/conf.d/authconfig-sssd.conf',
        'authconfig': '/etc/sysconfig/authconfig',
        'network': '/etc/sysconfig/network',
        'pwquality.conf': '/etc/security/pwquality.conf.d/10-authconfig-pwquality.conf',
        'yp.conf': '/etc/yp.conf',
        'cmd-systemctl': '/usr/bin/systemctl',
        'cmd-authselect': '/usr/bin/authselect',
        'cmd-realm': '/usr/sbin/realm',
        'cmd-domainname': '/usr/bin/domainname',
        'cmd-setsebool': '/usr/sbin/setsebool'
    }

    @staticmethod
    def Local(relpath):
        return "%s/%s" % (Path.LocalDir, relpath)

    @staticmethod
    def System(name):
        return Path.Files[name]


class Configuration:
    class Base(object):
        def __init__(self, options, ServiceName=None):
            self.options = options
            self.service = None
            if ServiceName is not None:
                self.service = Service(ServiceName)

        def isEnabled(self):
            return True

        def isDisabled(self):
            return not self.isEnabled()

        def enableService(self, nostart):
            if self.service is None:
                return

            self.service.enable()

            if not nostart:
                self.service.start()

        def disableService(self, nostop):
            if self.service is None:
                return

            self.service.disable()

            if not nostop:
                self.service.stop()

        def cleanup(self):
            return

        def write(self):
            return

        def get(self, name):
            return self.options.get(name)

        def isset(self, name):
            return self.options.isset(name)

        def getTrueOrNone(self, name):
            return self.options.getTrueOrNone(name)

        def getBool(self, name):
            return self.options.getBool(name)

        def getBoolAsValue(self, name, if_true, if_false, AllowNone=False):
            if AllowNone and not self.isset(name):
                return None

            value = self.getBool(name)
            if value:
                return if_true

            return if_false

        def removeFile(self, filename):
            print(_("Removing file: %s") % filename)
            if self.options.getBool("test-call"):
                return

            try:
                os.remove(filename)
            except FileNotFoundError:
                return

    class LDAP(Base):
        def __init__(self, options):
            super(Configuration.LDAP, self).__init__(options)

        def write(self):
            config = EnvironmentFile(Path.System('ldap.conf'), " ",
                                     delimiter_re=r"\s\t", quotes=False)
            if self.isset("ldapserver"):
                config.set("URI", self.get("ldapserver"))

            if self.isset("ldapbasedn"):
                config.set("BASE", self.get("ldapbasedn"))

            config.write()

    class Kerberos(Base):
        def __init__(self, options):
            super(Configuration.Kerberos, self).__init__(options)

        def isEnabled(self):
            if not self.isset("krb5realm") and not self.isset("krb5realmdns"):
                return None

            return self.get("krb5realm") != "" or self.getBool("krb5realmdns")

        def cleanup(self):
            # Do not remove the file if these options are not set
            if not self.isset("krb5realm") and not self.isset("krb5realmdns"):
                return

            self.removeFile(Path.System('krb5.conf'))

        def write(self):
            if self.isDisabled():
                return

            path = Path.Local("snippets/authconfig-krb.conf")
            config = ConfigSnippet(path, Path.System('krb5.conf'))
            realm = self.get("krb5realm")

            keys = {
                'realm': self.get("krb5realm"),
                'kdc-srv': self.get("krb5kdcdns"),
                'realm-srv': self.get("krb5realmdns"),
                'kdc': self.get("krb5kdc") if realm else None,
                'adminserver': self.get("krb5adminserver") if realm else None,
                'domain': realm.lower() if realm else None
            }

            config.write(keys)

    class Network(Base):
        def __init__(self, options):
            super(Configuration.Network, self).__init__(options)

        def write(self):
            nisdomain = self.get("nisdomain")
            config = EnvironmentFile(Path.System('network'))

            if nisdomain is None:
                return

            config.set("NISDOMAIN", nisdomain)
            config.write()

    class SSSD(Base):
        def __init__(self, options):
            super(Configuration.SSSD, self).__init__(options, ServiceName="sssd")

        def isEnabled(self):
            if not self.isset("ldap") and not self.isset("sssd"):
                return None

            return self.getBool("ldap") or self.getBool("sssd")

        def cleanup(self):
            self.removeFile(Path.System('sssd.conf'))

        def write(self):
            # Authconfig would not generate sssd in this case so we should not
            # either. Even if --enablesssd[auth] was provided the configuration
            # would not be generated.
            if not self.getBool("ldap"):
                return

            path = Path.Local("snippets/authconfig-sssd.conf")
            config = ConfigSnippet(path, Path.System('sssd.conf'))

            schema = "rfc2307bis" if self.getBool("rfc2307bis") else None

            keys = {
                'ldap-uri': self.get("ldapserver"),
                'ldap-basedn': self.get("ldapbasedn"),
                'ldap-tls': self.getTrueOrNone("ldaptls"),
                'ldap-schema': schema,
                'krb5': self.getTrueOrNone("krb5"),
                'kdc-uri': self.get("krb5kdc"),
                'kpasswd-uri': self.get("krb5adminserver"),
                'realm': self.get("krb5realm"),
                'cache-creds': self.getTrueOrNone("cachecreds"),
                'cert-auth': self.getTrueOrNone("smartcard")
            }

            config.write(keys)
            os.chmod(Path.System('sssd.conf'), mode=0o600)

    class Winbind(Base):
        def __init__(self, options):
            super(Configuration.Winbind, self).__init__(options, ServiceName="winbind")

        def isEnabled(self):
            if not self.isset("winbind") and not self.isset("winbindauth"):
                return None

            return self.getBool("winbind") or self.getBool("winbindauth")

        def write(self):
            if not self.isset("winbindjoin"):
                return

            creds = self.options.get("winbindjoin").split("%", 1)

            user = creds[0]
            password = None
            if len(creds) > 1:
                password = creds[1] + '\n'

            args = [
                'join',
                '-U', '"%s"' % user,
                '--client-software', 'winbind'
            ]

            if self.isset("smbworkgroup"):
                args.append(self.get("smbworkgroup"))

            cmd = Command(Path.System('cmd-realm'), args, input=password)
            try:
                cmd.run()
            except FileNotFoundError:
                eprint(_("%s was not found. Please, install realmd.")
                       % Path.System('cmd-realm'))

    class PWQuality(Base):
        def __init__(self, options):
            super(Configuration.PWQuality, self).__init__(options)

        def write(self):
            config = EnvironmentFile(Path.System('pwquality.conf'))
            value_set = False

            pwopts = {
                "minlen": self.get("passminlen"),
                "minclass": self.get("passminclass"),
                "maxrepeat": self.get("passmaxrepeat"),
                "maxclassrepeat": self.get("passmaxclassrepeat"),
                "lcredit": self.getBoolAsValue("reqlower", -1, 0, AllowNone=True),
                "ucredit": self.getBoolAsValue("requpper", -1, 0, AllowNone=True),
                "dcredit": self.getBoolAsValue("reqdigit", -1, 0, AllowNone=True),
                "ocredit": self.getBoolAsValue("reqother", -1, 0, AllowNone=True)
            }

            # Write options only if their are actually set
            for opt, value in pwopts.items():
                if value is not None:
                    print(opt + "=" + str(value))
                    config.set(opt, value)
                    value_set = True

            if value_set:
                config.write()

    class MakeHomedir(Base):
        def __init__(self, options):
            super(Configuration.MakeHomedir, self).__init__(options, ServiceName="oddjobd")

        def isEnabled(self):
            if not self.isset("mkhomedir"):
                return None

            return self.getBool("mkhomedir")

        def disableService(self, nostop):
            # Never disable the service in case it is already running as
            # other applications may depend on it.
            return

    class NIS(Base):
        def __init__(self, options):
            super(Configuration.NIS, self).__init__(options)
            self.rpcbind = Service("rpcbind")
            self.ypbind = Service("ypbind")

        def isEnabled(self):
            if not self.isset("nis"):
                return None

            return self.getBool("nis")

        def enableService(self, nostart):
            if not self.isset("nisdomain"):
                return

            nisdom = self.get("nisdomain")

            if not nostart:
                cmd = Command(Path.System('cmd-domainname'), [nisdom])
                cmd.run()

            cmd = Command(Path.System('cmd-setsebool'),
                          ['-P', 'allow_ypbind', '1'])
            cmd.run()

            self.rpcbind.enable()
            self.ypbind.enable()

            if not nostart:
                self.rpcbind.start(Restart=False)
                self.ypbind.start()

        def disableService(self, nostop):
            if not nostop:
                cmd = Command(Path.System('cmd-domainname'), ["(none)"])
                cmd.run()

            cmd = Command(Path.System('cmd-setsebool'),
                          ['-P', 'allow_ypbind', '0'])
            cmd.run()

            self.rpcbind.disable()
            self.ypbind.disable()

            if not nostop:
                self.rpcbind.stop()
                self.ypbind.stop()

        def write(self):
            if not self.isset("nisdomain"):
                return

            output = "domain " + self.get("nisdomain")

            additional_servers = []
            if self.isset("nisserver"):
                servers = self.get("nisserver").split(",")
                additional_servers = servers[1:]
                output += " server " + servers[0] + "\n"
            else:
                output += " broadcast\n"

            for server in additional_servers:
                output += "ypserver " + server + "\n"

            filename = Path.System('yp.conf')
            if self.getBool("test-call"):
                print("========== BEGIN Content of [%s] ==========" % filename)
                print(output)
                print("========== END   Content of [%s] ==========\n" % filename)
                return

            with open(filename, "w") as f:
                f.write(output)


class AuthCompat:
    def __init__(self):
        self.sysconfig = EnvironmentFile(Path.System('authconfig'))
        self.options = Options()

        self.options.parse()
        self.options.applysysconfig(self.sysconfig)
        self.options.updatesysconfig(self.sysconfig)

    def printWarning(self):
        print(_("Running authconfig compatibility tool."))
        print(_("The purpose of this tool is to enable authentication against "
                "chosen services with authselect and minimum configuration. "
                "It does not provide all capabilities of authconfig.\n"))
        print(_("IMPORTANT: authconfig is replaced by authselect, "
                "please update your scripts."))
        print(_("See man authselect-migration(7) to help you with migration to authselect"))

        options = self.options.getSetButUnsupported()
        if options:
            print(_("Warning: These options are not supported anymore "
                    "and have no effect:"))
            for name in options:
                print("  --%s" % name)

        print("")

    def printOptions(self):
        for option in Options.List:
            print("%s=%s" % (option.name, option.value))

    def printSysconfig(self):
        for line in self.sysconfig.getall():
            print("%s=%s" % (line.name, line.value))

    def canContinue(self):
        disallowed = ["test", "probe", "restorebackup", "restorelastbackup"]
        required = ["update", "updateall", "kickstart"]

        if not self.options.getBool("test") and os.getuid() != 0:
            print(_("authconfig can only be run as root"))
            return False

        for option in disallowed:
            if self.options.getBool(option):
                print(_("Error: option --%s is no longer supported and we "
                        "cannot continue if it is set." % option))
                return False

        if self.options.getBool("winbind") != self.options.getBool("winbindauth"):
            print(_("Error: Both --enablewinbind and --enablewinbindauth must be set."))
            return False

        # We require one of these options to perform changes
        # We encourage to use --updateall since we no longer support just pure
        # --update or --kickstart, they will act as --updateall.
        for option in required:
            if self.options.getBool(option):
                return True

        print(_("Error: Please, provide --updateall option."))
        return False

    def runAuthselect(self):
        map = {
            'smartcard': 'with-smartcard',
            'requiresmartcard': 'with-smartcard-required',
            'fingerprint': 'with-fingerprint',
            'mkhomedir': 'with-mkhomedir',
            'faillock': 'with-faillock',
            'pamaccess': 'with-pamaccess',
            'winbindkrb5': 'with-krb5'
        }

        # Read current configuration first.
        (profile, features) = self.getCurrentAuthselectConfig()

        # Change profile if requested.
        if (self.options.getBool("ldap")
                or self.options.getBool("ldapauth")
                or self.options.getBool("sssd")
                or self.options.getBool("sssdauth")):
            profile = "sssd"
        elif self.options.getBool("nis"):
            profile = "nis"
        elif self.options.getBool("winbind"):
            profile = "winbind"

        # Default to sssd
        if profile is None:
            profile = "sssd"

        # Add enabled and remove disabled features.
        for option, feature in map.items():
            if not self.options.isset(option):
                continue

            enabled = self.options.getBool(option)
            if enabled:
                features.append(feature)
            else:
                while feature in features:
                    features.remove(feature)

        # Add lock-on-smartcard-removal if requested
        if self.options.isset("smartcardaction"):
            if int(self.options.get("smartcardaction")) == 0:
                features.append("with-smartcard-lock-on-removal")
            else:
                features.remove("with-smartcard-lock-on-removal")

        # Remove duplicates. The order is not kept but that does not matter.
        features = list(set(features))

        # Always run with --force. This is either first call of authconfig
        # in installation script or it is run on already configured system.
        # We want to use authselect in both cases anyway, since authconfig
        # would change the configuration either way.
        args = ["select", profile]
        args.extend(features)
        args.append("--force")

        cmd = Command(Path.System('cmd-authselect'), args)
        cmd.run()

    def getCurrentAuthselectConfig(self):
        cmd = Command(Path.System('cmd-authselect'), ['check'], check=False)
        cmd.run()

        if cmd.result is None or cmd.result.returncode != 0:
            return (None, [])

        cmd = Command(Path.System('cmd-authselect'), ['current', '--raw'])
        cmd.run()

        current = cmd.result.stdout.decode("utf-8").split()
        return (current[0], current[1:])

    def writeConfiguration(self):
        configs = [
            Configuration.LDAP(self.options),
            Configuration.Network(self.options),
            Configuration.Kerberos(self.options),
            Configuration.SSSD(self.options),
            Configuration.Winbind(self.options),
            Configuration.PWQuality(self.options),
            Configuration.MakeHomedir(self.options),
            Configuration.NIS(self.options)
        ]

        for config in configs:
            # Configuration decides if it needs to write something or not
            config.write()

            # Enable or disable service if needed
            nostart = self.options.getBool("nostart")
            try:
                enabled = config.isEnabled()

                # Skip service management if it can not be decided
                if enabled is None:
                    continue

                if enabled:
                    config.enableService(nostart)
                else:
                    config.disableService(nostart)
                    config.cleanup()
            except subprocess.CalledProcessError as result:
                # This is not fatal error.
                eprint(_("Command [%s] failed with %d, stderr:")
                       % (' '.join(result.cmd), result.returncode))
                eprint(result.stderr.decode())


def main():
    try:
        locale.setlocale(locale.LC_ALL, '')
    except locale.Error:
        sys.stderr.write('Warning: Unsupported locale setting.\n')

    authcompat = AuthCompat()
    authcompat.printWarning()

    Command.TEST = authcompat.options.getBool("test-call")
    EnvironmentFile.TEST = authcompat.options.getBool("test-call")
    ConfigSnippet.TEST = authcompat.options.getBool("test-call")

    if not authcompat.canContinue():
        sys.exit(1)

    try:
        authcompat.runAuthselect()
        authcompat.writeConfiguration()
        authcompat.sysconfig.write()
    except subprocess.CalledProcessError as result:
        eprint(_("Command [%s] failed with %d, stderr:")
               % (' '.join(result.cmd), result.returncode))
        eprint(result.stderr.decode())

    sys.exit(0)


if __name__ == "__main__":
    main()