mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
249 lines
7.4 KiB
Python
249 lines
7.4 KiB
Python
#! /usr/bin/python -E
|
|
# Authors: John Dennis <jdennis@redhat.com>
|
|
#
|
|
# Copyright (C) 2007 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU General Public License as
|
|
# published by the Free Software Foundation; version 2 only
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#
|
|
|
|
import sys
|
|
from optparse import OptionParser
|
|
import ipa
|
|
import ipa.radius_client
|
|
import ipa.ipaclient as ipaclient
|
|
import ipa.ipavalidate as ipavalidate
|
|
import ipa.config
|
|
import ipa.ipaerror
|
|
|
|
import xmlrpclib
|
|
import kerberos
|
|
import ldap
|
|
import getpass
|
|
import re
|
|
|
|
#------------------------------------------------------------------------------
|
|
|
|
dotted_octet_RE = re.compile(r"^(\d+)\.(\d+)\.(\d+)\.(\d+)(/(\d+))?$")
|
|
dns_RE = re.compile(r"^[a-zA-Z.-]+$")
|
|
# secret, name, nastype all have 31 char max in freeRADIUS, max ip address len is 255
|
|
valid_secret_len = (1,31)
|
|
valid_name_len = (1,31)
|
|
valid_nastype_len = (1,31)
|
|
valid_ip_addr_len = (1,255)
|
|
|
|
valid_ip_addr_msg = "IP address is required and must be dotted octet with optional mask or a DNS name"
|
|
valid_desc_msg = "Description must text string"
|
|
|
|
#------------------------------------------------------------------------------
|
|
|
|
def usage():
|
|
print "ipa-addradiusclient"
|
|
sys.exit(1)
|
|
|
|
def parse_options():
|
|
parser = OptionParser()
|
|
parser.add_option("--usage", action="store_true",
|
|
help="Program usage")
|
|
parser.add_option("-a", "--address", dest="ip_addr",
|
|
help="RADIUS client IP address")
|
|
parser.add_option("-s", "--secret", dest="secret",
|
|
help="RADIUS client secret")
|
|
parser.add_option("-n", "--name", dest="name",
|
|
help="RADIUS client name")
|
|
parser.add_option("-t", "--type", dest="nastype",
|
|
help="RADIUS client name")
|
|
parser.add_option("-d", "--description", dest="desc",
|
|
help="description of the RADIUS client")
|
|
|
|
args = ipa.config.init_config(sys.argv)
|
|
options, args = parser.parse_args(args)
|
|
|
|
return options, args
|
|
|
|
#------------------------------------------------------------------------------
|
|
|
|
def get_secret():
|
|
valid = False
|
|
while (not valid):
|
|
secret = getpass.getpass("Enter Secret: ")
|
|
confirm = getpass.getpass("Confirm Secret: ")
|
|
if (secret != confirm):
|
|
print "Secrets do not match"
|
|
continue
|
|
valid = True
|
|
return secret
|
|
|
|
#------------------------------------------------------------------------------
|
|
|
|
def valid_ip_addr(text):
|
|
|
|
# is it a dotted octet? If so there should be 4 integers seperated
|
|
# by a dot and each integer should be between 0 and 255
|
|
# there may be an optional mask preceded by a slash (e.g. 1.2.3.4/24)
|
|
match = dotted_octet_RE.search(text)
|
|
if match:
|
|
# dotted octet notation
|
|
i = 1
|
|
while i <= 4:
|
|
octet = int(match.group(i))
|
|
if octet > 255: return False
|
|
i += 1
|
|
if match.group(5):
|
|
mask = int(match.group(6))
|
|
if mask <= 32:
|
|
return True
|
|
else:
|
|
return False
|
|
return True
|
|
else:
|
|
# DNS name, can contain letters, dot and hypen
|
|
if dns_RE.search(text): return False
|
|
return True
|
|
|
|
def validate_length(value, limits):
|
|
length = len(value)
|
|
if length < limits[0] or length > limits[1]:
|
|
return False
|
|
return True
|
|
|
|
def valid_length_msg(name, limits):
|
|
return "%s length must be at least %d and not more than %d" % (name, limits[0], limits[1])
|
|
|
|
def validate_ip_addr(ip_addr):
|
|
if not validate_length(ip_addr, valid_ip_addr_len):
|
|
print valid_length_msg('ip address', valid_ip_addr_len)
|
|
return False
|
|
if not valid_ip_addr(ip_addr):
|
|
print valid_ip_addr_msg
|
|
return False
|
|
return True
|
|
|
|
def validate_secret(secret):
|
|
if not validate_length(secret, valid_secret_len):
|
|
print valid_length_msg('secret', valid_secret_len)
|
|
return False
|
|
return True
|
|
|
|
def validate_name(name):
|
|
if not validate_length(name, valid_name_len):
|
|
print valid_length_msg('name', valid_name_len)
|
|
return False
|
|
return True
|
|
|
|
def validate_nastype(nastype):
|
|
if not validate_length(nastype, valid_nastype_len):
|
|
print valid_length_msg('NAS Type', valid_nastype_len)
|
|
return False
|
|
return True
|
|
|
|
def validate_desc(desc):
|
|
if ipavalidate.plain(desc, notEmpty=True) != 0:
|
|
print valid_desc_msg
|
|
return False
|
|
return True
|
|
|
|
#------------------------------------------------------------------------------
|
|
|
|
def main():
|
|
ip_addr = None
|
|
secret = None
|
|
name = None
|
|
nastype = None
|
|
desc = None
|
|
|
|
client=ipa.radius_client.RadiusClient()
|
|
options, args = parse_options()
|
|
|
|
# client address is required
|
|
if options.ip_addr:
|
|
ip_addr = options.ip_addr
|
|
if not validate_ip_addr(ip_addr): return 1
|
|
else:
|
|
valid = False
|
|
while not valid:
|
|
ip_addr = raw_input("Client IP: ")
|
|
if validate_ip_addr(ip_addr): valid = True
|
|
|
|
# client secret is required
|
|
if options.secret:
|
|
secret = options.secret
|
|
if not validate_secret(secret): return 1
|
|
else:
|
|
valid = False
|
|
while not valid:
|
|
secret = get_secret()
|
|
if validate_secret(secret): valid = True
|
|
|
|
# client name is optional
|
|
if options.name:
|
|
name = options.name
|
|
if not validate_name(name): return 1
|
|
|
|
# client NAS Type is optional
|
|
if options.nastype:
|
|
nastype = options.nastype
|
|
if not validate_nastype(nastype): return 1
|
|
|
|
# client description is optional
|
|
if options.desc:
|
|
desc = options.desc
|
|
if not validate_desc(desc): return 1
|
|
|
|
|
|
#print "ip_addr=%s secret=%s name=%s nastype=%s desc=%s" % (ip_addr, secret, name, nastype, desc)
|
|
|
|
if ip_addr is not None:
|
|
client.setValue('radiusClientNASIpAddress', ip_addr)
|
|
else:
|
|
print "client IP Address is required"
|
|
return 1
|
|
|
|
if secret is not None:
|
|
client.setValue('radiusClientSecret', secret)
|
|
else:
|
|
print "client secret is required"
|
|
return 1
|
|
|
|
if name is not None:
|
|
client.setValue('radiusClientShortName', name)
|
|
|
|
if nastype is not None:
|
|
client.setValue('radiusClientNASType', nastype)
|
|
|
|
if desc is not None:
|
|
client.setValue('description', desc)
|
|
|
|
try:
|
|
client = ipaclient.IPAClient()
|
|
client.add_radius_client(client)
|
|
print "successfully added"
|
|
except xmlrpclib.Fault, f:
|
|
print f.faultString
|
|
return 1
|
|
except kerberos.GSSError, e:
|
|
print "Could not initialize GSSAPI: %s/%s" % (e[0][0][0], e[0][1][0])
|
|
return 1
|
|
except xmlrpclib.ProtocolError, e:
|
|
print "Unable to connect to IPA server: %s" % (e.errmsg)
|
|
return 1
|
|
except ipa.ipaerror.IPAError, e:
|
|
print "%s" % (e.message)
|
|
return 1
|
|
|
|
return 0
|
|
|
|
if __name__ == "__main__":
|
|
sys.exit(main())
|