checkpoint radius client work

ipa-admintools/ipa-addradiusclient

@@ -0,0 +1,248 @@
+#! /usr/bin/python -E
+# Authors: John Dennis <jdennis@redhat.com>
+#
+# Copyright (C) 2007  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import sys
+from optparse import OptionParser
+import ipa
+import ipa.radius_client
+import ipa.ipaclient as ipaclient
+import ipa.ipavalidate as ipavalidate
+import ipa.config
+import ipa.ipaerror
+
+import xmlrpclib
+import kerberos
+import ldap
+import getpass
+import re
+
+#------------------------------------------------------------------------------
+
+dotted_octet_RE = re.compile(r"^(\d+)\.(\d+)\.(\d+)\.(\d+)(/(\d+))?$")
+dns_RE = re.compile(r"^[a-zA-Z.-]+$")
+# secret, name, nastype all have 31 char max in freeRADIUS, max ip address len is 255
+valid_secret_len = (1,31)
+valid_name_len = (1,31)
+valid_nastype_len = (1,31)
+valid_ip_addr_len = (1,255)
+
+valid_ip_addr_msg = "IP address is required and must be dotted octet with optional mask or a DNS name"
+valid_desc_msg = "Description must text string"
+
+#------------------------------------------------------------------------------
+
+def usage():
+    print "ipa-addradiusclient"
+    sys.exit(1)
+
+def parse_options():
+    parser = OptionParser()
+    parser.add_option("--usage", action="store_true",
+                      help="Program usage")
+    parser.add_option("-a", "--address", dest="ip_addr",
+                      help="RADIUS client IP address")
+    parser.add_option("-s", "--secret", dest="secret",
+                      help="RADIUS client secret")
+    parser.add_option("-n", "--name", dest="name",
+                      help="RADIUS client name")
+    parser.add_option("-t", "--type", dest="nastype",
+                      help="RADIUS client name")
+    parser.add_option("-d", "--description", dest="desc", 
+                      help="description of the RADIUS client")
+
+    args = ipa.config.init_config(sys.argv)
+    options, args = parser.parse_args(args)
+
+    return options, args
+
+#------------------------------------------------------------------------------
+
+def get_secret():
+    valid = False
+    while (not valid):
+        secret = getpass.getpass("Enter Secret: ")
+        confirm = getpass.getpass("Confirm Secret: ")
+        if (secret != confirm):
+            print "Secrets do not match"
+            continue
+        valid = True
+    return secret
+
+#------------------------------------------------------------------------------
+
+def valid_ip_addr(text):
+
+    # is it a dotted octet? If so there should be 4 integers seperated
+    # by a dot and each integer should be between 0 and 255
+    # there may be an optional mask preceded by a slash (e.g. 1.2.3.4/24)
+    match = dotted_octet_RE.search(text)
+    if match:
+        # dotted octet notation
+        i = 1
+        while i <= 4:
+            octet = int(match.group(i))
+            if octet > 255: return False
+            i += 1
+        if match.group(5):
+            mask = int(match.group(6))
+            if mask <= 32:
+                return True
+            else:
+                return False
+        return True
+    else:
+        # DNS name, can contain letters, dot and hypen
+        if dns_RE.search(text): return False
+    return True
+
+def validate_length(value, limits):
+    length = len(value)
+    if length < limits[0] or length > limits[1]:
+        return False
+    return True
+
+def valid_length_msg(name, limits):
+    return "%s length must be at least %d and not more than %d" % (name, limits[0], limits[1])
+
+def validate_ip_addr(ip_addr):
+    if not validate_length(ip_addr, valid_ip_addr_len):
+        print valid_length_msg('ip address', valid_ip_addr_len)
+        return False
+    if not valid_ip_addr(ip_addr):
+        print valid_ip_addr_msg
+        return False
+    return True
+
+def validate_secret(secret):
+    if not validate_length(secret, valid_secret_len):
+        print valid_length_msg('secret', valid_secret_len)
+        return False
+    return True
+
+def validate_name(name):
+    if not validate_length(name, valid_name_len):
+        print valid_length_msg('name', valid_name_len)
+        return False
+    return True
+
+def validate_nastype(nastype):
+    if not validate_length(nastype, valid_nastype_len):
+        print valid_length_msg('NAS Type', valid_nastype_len)
+        return False
+    return True
+
+def validate_desc(desc):
+    if ipavalidate.plain(desc, notEmpty=True) != 0:
+        print valid_desc_msg
+        return False
+    return True
+
+#------------------------------------------------------------------------------
+
+def main():
+    ip_addr = None
+    secret = None
+    name = None
+    nastype = None
+    desc = None
+
+    client=ipa.radius_client.RadiusClient()
+    options, args = parse_options()
+
+    # client address is required
+    if options.ip_addr:
+        ip_addr = options.ip_addr
+        if not validate_ip_addr(ip_addr): return 1
+    else:
+        valid = False
+        while not valid:
+            ip_addr = raw_input("Client IP: ")
+            if validate_ip_addr(ip_addr): valid = True
+
+    # client secret is required
+    if options.secret:
+        secret = options.secret
+        if not validate_secret(secret): return 1
+    else:
+        valid = False
+        while not valid:
+            secret = get_secret()
+            if validate_secret(secret): valid = True
+                
+    # client name is optional
+    if options.name:
+        name = options.name
+        if not validate_name(name): return 1
+
+    # client NAS Type is optional
+    if options.nastype:
+        nastype = options.nastype
+        if not validate_nastype(nastype): return 1
+        
+    # client description is optional
+    if options.desc:
+        desc = options.desc
+        if not validate_desc(desc): return 1
+        
+
+    #print "ip_addr=%s secret=%s name=%s nastype=%s desc=%s" % (ip_addr, secret, name, nastype, desc)
+
+    if ip_addr is not None:
+        client.setValue('radiusClientNASIpAddress', ip_addr)
+    else:
+        print "client IP Address is required"
+        return 1
+
+    if secret is not None:
+        client.setValue('radiusClientSecret', secret)
+    else:
+        print "client secret is required"
+        return 1
+
+    if name is not None:
+        client.setValue('radiusClientShortName', name)
+
+    if nastype is not None:
+        client.setValue('radiusClientNASType', nastype)
+       
+    if desc is not None:
+        client.setValue('description', desc)
+       
+    try:
+        client = ipaclient.IPAClient()
+        client.add_radius_client(client)
+        print "successfully added"
+    except xmlrpclib.Fault, f:
+        print f.faultString
+        return 1
+    except kerberos.GSSError, e:
+        print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
+        return 1
+    except xmlrpclib.ProtocolError, e:
+        print "Unable to connect to IPA server: %s" % (e.errmsg)
+        return 1
+    except ipa.ipaerror.IPAError, e:
+        print "%s" % (e.message)
+        return 1
+
+    return 0
+
+if __name__ == "__main__":
+    sys.exit(main())