IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity
d237c40b2c
freeipa/ipalib/backend.py

151 lines
4.7 KiB
Python
Raw Normal View History

319: Added new backend and tests.test_backend modules; added place-holder Backend class and corresponding unit tests
2008-09-23 19:12:35 -05:00
# Authors:
# Jason Gerard DeRose <jderose@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
319: Added new backend and tests.test_backend modules; added place-holder Backend class and corresponding unit tests
2008-09-23 19:12:35 -05:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
319: Added new backend and tests.test_backend modules; added place-holder Backend class and corresponding unit tests
2008-09-23 19:12:35 -05:00
"""
Base classes for all backed-end plugins.
"""
logging: remove object-specific loggers Remove all object-specific loggers, with the exception of `Plugin.log`, which is now deprecated. Replace affected logger calls with module-level logger calls. Deprecate object-specific loggers in `ipa_log_manager.get_logger`. Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-23 11:35:57 -05:00
import logging
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
import threading
Tweak the session auth to reflect developer consensus. * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
2012-02-15 09:26:42 -06:00
import os
Use absolute imports In Python 3, implicit relative imports will not be supported. Use fully-qualified imports everywhere. Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-31 03:15:01 -05:00
from ipalib import plugable
from ipalib.errors import PublicError, InternalError, CommandError
from ipalib.request import context, Connection, destroy_context
319: Added new backend and tests.test_backend modules; added place-holder Backend class and corresponding unit tests
2008-09-23 19:12:35 -05:00
logging: remove object-specific loggers Remove all object-specific loggers, with the exception of `Plugin.log`, which is now deprecated. Replace affected logger calls with module-level logger calls. Deprecate object-specific loggers in `ipa_log_manager.get_logger`. Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-23 11:35:57 -05:00
logger = logging.getLogger(__name__)
Did some initial work for Context plugins
2008-10-30 02:11:33 -05:00
319: Added new backend and tests.test_backend modules; added place-holder Backend class and corresponding unit tests
2008-09-23 19:12:35 -05:00
class Backend(plugable.Plugin):
320: plugable.API now respects the Plugin.__proxy__ flag; added test for plugins without proxy to unit tests for API
2008-09-23 19:44:41 -05:00
"""
Base class for all backend plugins.
"""
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
class Connectible(Backend):
Added docstring to Connectible class
2009-01-24 23:44:58 -06:00
"""
Base class for backend plugins that create connections.
In addition to the nicety of providing a standard connection API, all
backend plugins that create connections should use this base class so that
`request.destroy_context()` can properly close all open connections.
"""
plugable: Pass API to plugins on initialization rather than using set_api https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-06-22 05:58:43 -05:00
def __init__(self, api, shared_instance=False):
Backend.__init__(self, api)
Allow creation of new connections by unshared instances of backend.Connectible.
2010-01-05 06:38:20 -06:00
if shared_instance:
self.id = self.name
else:
self.id = '%s_%s' % (self.name, str(id(self)))
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
def connect(self, *args, **kw):
"""
Create thread-local connection.
"""
Allow creation of new connections by unshared instances of backend.Connectible.
2010-01-05 06:38:20 -06:00
if hasattr(context, self.id):
Replace StandardError with Exception StandardError was removed in Python3 and instead Exception should be used. Signed-off-by: Robert Kuska <rkuska@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-24 05:40:33 -05:00
raise Exception(
raise more descriptive Backend connection-related exceptions https://fedorahosted.org/freeipa/ticket/5473 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-20 06:47:34 -06:00
"{0} is already connected ({1} in {2})".format(
self.name,
self.id,
pylint: Fix deprecated-method for threading As of Python3 `currentThread`, `thread.getName` are aliases for `threading.current_thread()` and `threading.Thread.name` respectively. In Python3.10: > bpo-43723: The following threading methods are now deprecated and should be replaced: currentThread => threading.current_thread() activeCount => threading.active_count() Condition.notifyAll => threading.Condition.notify_all() Event.isSet => threading.Event.is_set() Thread.setName => threading.Thread.name thread.getName => threading.Thread.name Thread.isDaemon => threading.Thread.daemon Thread.setDaemon => threading.Thread.daemon Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-02-21 04:21:06 -06:00
threading.current_thread().name,
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
)
)
Ported xmlclient to subclass from Connectible
2009-01-23 19:02:32 -06:00
conn = self.create_connection(*args, **kw)
Allow creation of new connections by unshared instances of backend.Connectible.
2010-01-05 06:38:20 -06:00
setattr(context, self.id, Connection(conn, self.disconnect))
Ported xmlclient to subclass from Connectible
2009-01-23 19:02:32 -06:00
assert self.conn is conn
logging: remove object-specific loggers Remove all object-specific loggers, with the exception of `Plugin.log`, which is now deprecated. Replace affected logger calls with module-level logger calls. Deprecate object-specific loggers in `ipa_log_manager.get_logger`. Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-23 11:35:57 -05:00
logger.debug('Created connection context.%s', self.id)
Ported xmlclient to subclass from Connectible
2009-01-23 19:02:32 -06:00
def create_connection(self, *args, **kw):
Allow creation of new connections by unshared instances of backend.Connectible.
2010-01-05 06:38:20 -06:00
raise NotImplementedError('%s.create_connection()' % self.id)
Ported xmlclient to subclass from Connectible
2009-01-23 19:02:32 -06:00
def disconnect(self):
Allow creation of new connections by unshared instances of backend.Connectible.
2010-01-05 06:38:20 -06:00
if not hasattr(context, self.id):
Replace StandardError with Exception StandardError was removed in Python3 and instead Exception should be used. Signed-off-by: Robert Kuska <rkuska@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-24 05:40:33 -05:00
raise Exception(
raise more descriptive Backend connection-related exceptions https://fedorahosted.org/freeipa/ticket/5473 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-20 06:47:34 -06:00
"{0} is not connected ({1} in {2})".format(
self.name,
self.id,
pylint: Fix deprecated-method for threading As of Python3 `currentThread`, `thread.getName` are aliases for `threading.current_thread()` and `threading.Thread.name` respectively. In Python3.10: > bpo-43723: The following threading methods are now deprecated and should be replaced: currentThread => threading.current_thread() activeCount => threading.active_count() Condition.notifyAll => threading.Condition.notify_all() Event.isSet => threading.Event.is_set() Thread.setName => threading.Thread.name thread.getName => threading.Thread.name Thread.isDaemon => threading.Thread.daemon Thread.setDaemon => threading.Thread.daemon Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-02-21 04:21:06 -06:00
threading.current_thread().name,
Ported xmlclient to subclass from Connectible
2009-01-23 19:02:32 -06:00
)
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
)
Ported xmlclient to subclass from Connectible
2009-01-23 19:02:32 -06:00
self.destroy_connection()
Allow creation of new connections by unshared instances of backend.Connectible.
2010-01-05 06:38:20 -06:00
delattr(context, self.id)
logging: remove object-specific loggers Remove all object-specific loggers, with the exception of `Plugin.log`, which is now deprecated. Replace affected logger calls with module-level logger calls. Deprecate object-specific loggers in `ipa_log_manager.get_logger`. Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-23 11:35:57 -05:00
logger.debug('Destroyed connection context.%s', self.id)
Ported xmlclient to subclass from Connectible
2009-01-23 19:02:32 -06:00
def destroy_connection(self):
Allow creation of new connections by unshared instances of backend.Connectible.
2010-01-05 06:38:20 -06:00
raise NotImplementedError('%s.destroy_connection()' % self.id)
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
def isconnected(self):
"""
Return ``True`` if thread-local connection on `request.context` exists.
"""
Allow creation of new connections by unshared instances of backend.Connectible.
2010-01-05 06:38:20 -06:00
return hasattr(context, self.id)
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
pylint: Skip unused-private-member for property case See https://github.com/PyCQA/pylint/issues/4756 for details Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-02-18 07:44:37 -06:00
def __get_conn(self): # pylint: disable=unused-private-member, #4756
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
"""
Return thread-local connection.
"""
Allow creation of new connections by unshared instances of backend.Connectible.
2010-01-05 06:38:20 -06:00
if not hasattr(context, self.id):
raise more descriptive Backend connection-related exceptions https://fedorahosted.org/freeipa/ticket/5473 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-20 06:47:34 -06:00
raise AttributeError(
"{0} is not connected ({1} in {2})".format(
self.name,
self.id,
pylint: Fix deprecated-method for threading As of Python3 `currentThread`, `thread.getName` are aliases for `threading.current_thread()` and `threading.Thread.name` respectively. In Python3.10: > bpo-43723: The following threading methods are now deprecated and should be replaced: currentThread => threading.current_thread() activeCount => threading.active_count() Condition.notifyAll => threading.Condition.notify_all() Event.isSet => threading.Event.is_set() Thread.setName => threading.Thread.name thread.getName => threading.Thread.name Thread.isDaemon => threading.Thread.daemon Thread.setDaemon => threading.Thread.daemon Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-02-21 04:21:06 -06:00
threading.current_thread().name,
raise more descriptive Backend connection-related exceptions https://fedorahosted.org/freeipa/ticket/5473 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-20 06:47:34 -06:00
)
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
)
Allow creation of new connections by unshared instances of backend.Connectible.
2010-01-05 06:38:20 -06:00
return getattr(context, self.id).conn
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
conn = property(__get_conn)
class Executioner(Backend):
Started reworking CLI class into cli plugin
2009-01-27 17:28:50 -06:00
def create_context(self, ccache=None, client_ip=None):
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
"""
client_ip: The IP address of the remote client.
"""
Tweak the session auth to reflect developer consensus. * Increase the session ID from 48 random bits to 128. * Implement the sesison_logout RPC command. It permits the UI to send a command that destroys the users credentials in the current session. * Restores the original web URL's and their authentication protections. Adds a new URL for sessions /ipa/session/json. Restores the original Kerberos auth which was for /ipa and everything below. New /ipa/session/json URL is treated as an exception and turns all authenticaion off. Similar to how /ipa/ui is handled. * Refactor the RPC handlers in rpcserver.py such that there is one handler per URL, specifically one handler per RPC and AuthMechanism combination. * Reworked how the URL names are used to map a URL to a handler. Previously it only permitted one level in the URL path hierarchy. We now dispatch on more that one URL path component. * Renames the api.Backend.session object to wsgi_dispatch. The use of the name session was historical and is now confusing since we've implemented sessions in a different location than the api.Backend.session object, which is really a WSGI dispatcher, hence the new name wsgi_dispatch. * Bullet-proof the setting of the KRB5CCNAME environment variable. ldap2.connect already sets it via the create_context() call but just in case that's not called or not called early enough (we now have other things besides ldap which need the ccache) we explicitly set it early as soon as we know it. * Rework how we test for credential validity and expiration. The previous code did not work with s4u2proxy because it assumed the existance of a TGT. Now we first try ldap credentials and if we can't find those fallback to the TGT. This logic was moved to the KRB5_CCache object, it's an imperfect location for it but it's the only location that makes sense at the moment given some of the current code limitations. The new methods are KRB5_CCache.valid() and KRB5_CCache.endtime(). * Add two new classes to session.py AuthManager and SessionAuthManager. Their purpose is to emit authication events to interested listeners. At the moment the logout event is the only event, but the framework should support other events as they arise. * Add BuildRequires python-memcached to freeipa.spec.in * Removed the marshaled_dispatch method, it was cruft, no longer referenced. https://fedorahosted.org/freeipa/ticket/2362
2012-02-15 09:26:42 -06:00
if ccache is not None:
os.environ["KRB5CCNAME"] = ccache
Started reworking CLI class into cli plugin
2009-01-27 17:28:50 -06:00
if self.env.in_server:
ldap2: change default time/size limit * Set default time_limit and size_limit in ldap2 to unlimited. * Set time_limit and size_limit to None in backend. This will respect ipaconfig values. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-10-27 08:31:25 -05:00
self.Backend.ldap2.connect(ccache=ccache,
size_limit=None,
time_limit=None)
Started reworking CLI class into cli plugin
2009-01-27 17:28:50 -06:00
else:
rpc: specify connection options in API config Specify RPC connection options once in API.bootstrap rather than in each invocation of rpcclient.connect. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 05:31:03 -05:00
self.Backend.rpcclient.connect()
First pass at enforcing certificates be requested from same host We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
2009-10-20 10:59:07 -05:00
if client_ip is not None:
setattr(context, "client_ip", client_ip)
Started reworking CLI class into cli plugin
2009-01-27 17:28:50 -06:00
Add textui function to display and prompt user for selection for *-find. Since we may end up executing a *-show when an entry is selected we need to defer destroying the connection context.
2009-07-10 15:43:47 -05:00
def destroy_context(self):
destroy_context()
Fixed Executioner.execute() so that its 'name' argument doesn't conflict with a param called 'name' (which is a valid param name)
2009-03-13 01:53:05 -05:00
def execute(self, _name, *args, **options):
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
try:
Fixed Executioner.execute() so that its 'name' argument doesn't conflict with a param called 'name' (which is a valid param name)
2009-03-13 01:53:05 -05:00
if _name not in self.Command:
raise CommandError(name=_name)
Fix pylint warnings inconsistent-return-statements Add consistent return to all functions and methods that are covered by tox -e pylint[23]. I haven't checked if return None is always a good idea or if we should rather raise an error. See: https://pagure.io/freeipa/issue/7326 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-15 10:00:04 -06:00
return self.Command[_name](*args, **options)
pylint: Fix useless-suppression Cleanup up no longer used Pylint's disables where possible. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-02-21 06:36:10 -06:00
except PublicError:
Fix pylint warnings inconsistent-return-statements Add consistent return to all functions and methods that are covered by tox -e pylint[23]. I haven't checked if return None is always a good idea or if we should rather raise an error. See: https://pagure.io/freeipa/issue/7326 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-15 10:00:04 -06:00
raise
Replace StandardError with Exception StandardError was removed in Python3 and instead Exception should be used. Signed-off-by: Robert Kuska <rkuska@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-24 05:40:33 -05:00
except Exception as e:
logging: remove object-specific loggers Remove all object-specific loggers, with the exception of `Plugin.log`, which is now deprecated. Replace affected logger calls with module-level logger calls. Deprecate object-specific loggers in `ipa_log_manager.get_logger`. Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-23 11:35:57 -05:00
logger.exception(
Added stuff for managing connections and new Executioner backend base class
2009-01-23 16:49:16 -06:00
'non-public: %s: %s', e.__class__.__name__, str(e)
)
Fix pylint warnings inconsistent-return-statements Add consistent return to all functions and methods that are covered by tox -e pylint[23]. I haven't checked if return None is always a good idea or if we should rather raise an error. See: https://pagure.io/freeipa/issue/7326 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-15 10:00:04 -06:00
raise InternalError()
finally:
destroy_context()
Reference in New Issue Copy Permalink