IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-26 08:51:50 -06:00
Code Issues Packages Projects Releases Wiki Activity
1df10a88cd
freeipa/ipaserver/rpcserver.py
Rob Crittenden 1d635090cb Use the certificate subject base in IPA when requesting certs in certmonger. 
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.

The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.

This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.

Note that this also fixes ipa-join to work with the new argument passing
mechanism.
2010-04-23 04:57:40 -06:00

462 lines
15 KiB
Python
Raw Blame History

# Authors:
# Jason Gerard DeRose <jderose@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
RPC server.
Also see the `ipalib.rpc` module.
"""
from cgi import parse_qs
from xml.sax.saxutils import escape
from xmlrpclib import Fault
from ipalib.backend import Executioner
from ipalib.errors import PublicError, InternalError, CommandError, JSONError
from ipalib.request import context, Connection, destroy_context
from ipalib.rpc import xml_dumps, xml_loads
from ipalib.util import make_repr
from ipalib.compat import json
from wsgiref.util import shift_path_info
import base64
_not_found_template = """<html>
<head>
<title>404 Not Found</title>
</head>
<body>
<h1>Not Found</h1>
<p>
The requested URL <strong>%(url)s</strong> was not found on this server.
</p>
</body>
</html>"""
def not_found(environ, start_response):
"""
Return a 404 Not Found error.
"""
status = '404 Not Found'
response_headers = [('Content-Type', 'text/html')]
start_response(status, response_headers)
output = _not_found_template % dict(
url=escape(environ['SCRIPT_NAME'] + environ['PATH_INFO'])
)
return [output]
def read_input(environ):
"""
Read the request body from environ['wsgi.input'].
"""
try:
length = int(environ.get('CONTENT_LENGTH'))
except (ValueError, TypeError):
return
return environ['wsgi.input'].read(length)
def params_2_args_options(params):
if len(params) == 0:
return (tuple(), dict())
if len(params) == 1:
return (params[0], dict())
return (params[0], params[1])
def nicify_query(query, encoding='utf-8'):
if not query:
return
for (key, value) in query.iteritems():
if len(value) == 0:
yield (key, None)
elif len(value) == 1:
yield (key, value[0].decode(encoding))
else:
yield (key, tuple(v.decode(encoding) for v in value))
def extract_query(environ):
"""
Return the query as a ``dict``, or ``None`` if no query is presest.
"""
qstr = None
if environ['REQUEST_METHOD'] == 'POST':
if environ['CONTENT_TYPE'] == 'application/x-www-form-urlencoded':
qstr = read_input(environ)
elif environ['REQUEST_METHOD'] == 'GET':
qstr = environ['QUERY_STRING']
if qstr:
query = dict(nicify_query(
parse_qs(qstr)#, keep_blank_values=True)
))
else:
query = {}
environ['wsgi.query'] = query
return query
class session(Executioner):
"""
WSGI routing middleware and entry point into IPA server.
The `session` plugin is the entry point into the IPA server. It will create
an LDAP connection (from a session cookie or the KRB5CCNAME header) and then
dispatch the request to the appropriate application. In WSGI parlance,
`session` is *middleware*.
"""
def __init__(self):
super(session, self).__init__()
self.__apps = {}
def __iter__(self):
for key in sorted(self.__apps):
yield key
def __getitem__(self, key):
return self.__apps[key]
def __contains__(self, key):
return key in self.__apps
def __call__(self, environ, start_response):
try:
self.create_context(ccache=environ.get('KRB5CCNAME'))
return self.route(environ, start_response)
finally:
destroy_context()
def finalize(self):
self.url = self.env['mount_ipa']
super(session, self).finalize()
def route(self, environ, start_response):
key = shift_path_info(environ)
if key in self.__apps:
app = self.__apps[key]
return app(environ, start_response)
return not_found(environ, start_response)
def mount(self, app, key):
"""
Mount the WSGI application *app* at *key*.
"""
# if self.__islocked__():
# raise StandardError('%s.mount(): locked, cannot mount %r at %r' % (
# self.name, app, key)
# )
if key in self.__apps:
raise StandardError('%s.mount(): cannot replace %r with %r at %r' % (
self.name, self.__apps[key], app, key)
)
self.info('Mounting %r at %r', app, key)
self.__apps[key] = app
class WSGIExecutioner(Executioner):
"""
Base class for execution backends with a WSGI application interface.
"""
key = ''
def set_api(self, api):
super(WSGIExecutioner, self).set_api(api)
if 'session' in self.api.Backend:
self.api.Backend.session.mount(self, self.key)
def finalize(self):
self.url = self.env.mount_ipa + self.key
super(WSGIExecutioner, self).finalize()
def wsgi_execute(self, environ):
result = None
error = None
_id = None
try:
if (
environ.get('CONTENT_TYPE', '').startswith(self.content_type)
and environ['REQUEST_METHOD'] == 'POST'
):
data = read_input(environ)
(name, args, options, _id) = self.unmarshal(data)
else:
(name, args, options, _id) = self.simple_unmarshal(environ)
if name not in self.Command:
raise CommandError(name=name)
result = self.Command[name](*args, **options)
except PublicError, e:
error = e
except StandardError, e:
self.exception(
'non-public: %s: %s', e.__class__.__name__, str(e)
)
error = InternalError()
return self.marshal(result, error, _id)
def simple_unmarshal(self, environ):
name = environ['PATH_INFO'].strip('/')
options = extract_query(environ)
return (name, tuple(), options, None)
def __call__(self, environ, start_response):
"""
WSGI application for execution.
"""
try:
status = '200 OK'
response = self.wsgi_execute(environ)
headers = [('Content-Type', self.content_type + '; charset=utf-8')]
except StandardError, e:
self.exception('%s.__call__():', self.name)
status = '500 Internal Server Error'
response = status
headers = [('Content-Type', 'text/plain')]
start_response(status, headers)
return [response]
def unmarshal(self, data):
raise NotImplementedError('%s.unmarshal()' % self.fullname)
def marshal(self, result, error, _id=None):
raise NotImplementedError('%s.marshal()' % self.fullname)
class xmlserver(WSGIExecutioner):
"""
Execution backend plugin for XML-RPC server.
Also see the `ipalib.rpc.xmlclient` plugin.
"""
content_type = 'text/xml'
key = 'xml'
def finalize(self):
self.__system = {
'system.listMethods': self.listMethods,
'system.methodSignature': self.methodSignature,
'system.methodHelp': self.methodHelp,
}
super(xmlserver, self).finalize()
def listMethods(self, *params):
return tuple(name.decode('UTF-8') for name in self.Command)
def methodSignature(self, *params):
return u'methodSignature not implemented'
def methodHelp(self, *params):
return u'methodHelp not implemented'
def marshaled_dispatch(self, data, ccache, client_ip):
"""
Execute the XML-RPC request contained in ``data``.
"""
try:
self.create_context(ccache=ccache, client_ip=client_ip)
(params, name) = xml_loads(data)
if name in self.__system:
response = (self.__system[name](*params),)
else:
(args, options) = params_2_args_options(params)
response = (self.execute(name, *args, **options),)
except PublicError, e:
self.info('response: %s: %s', e.__class__.__name__, str(e))
response = Fault(e.errno, e.strerror)
return xml_dumps(response, methodresponse=True)
def unmarshal(self, data):
(params, name) = xml_loads(data)
(args, options) = params_2_args_options(params)
return (name, args, options, None)
def marshal(self, result, error, _id=None):
if error:
self.info('response: %s: %s', error.__class__.__name__, str(error))
response = Fault(error.errno, error.strerror)
else:
if isinstance(result, dict):
self.info('response: entries returned %d', result.get('count', 1))
response = (result,)
return xml_dumps(response, methodresponse=True)
def json_encode_binary(val):
'''
JSON cannot encode binary values. We encode binary values in Python str
objects and text in Python unicode objects. In order to allow a binary
object to be passed through JSON we base64 encode it thus converting it to
text which JSON can transport. To assure we recognize the value is a base64
encoded representation of the original binary value and not confuse it with
other text we convert the binary value to a dict in this form:
{'__base64__' : base64_encoding_of_binary_value}
This modification of the original input value cannot be done "in place" as
one might first assume (e.g. replacing any binary items in a container
(e.g. list, tuple, dict) with the base64 dict because the container might be
an immutable object (i.e. a tuple). Therefore this function returns a copy
of any container objects it encounters with tuples replaced by lists. This
is O.K. because the JSON encoding will map both lists and tuples to JSON
arrays.
'''
if isinstance(val, dict):
new_dict = {}
for k,v in val.items():
if isinstance(v, str):
new_dict[k] = {'__base64__' : base64.b64encode(v)}
else:
new_dict[k] = json_encode_binary(v)
del val
return new_dict
elif isinstance(val, (list, tuple)):
new_list = []
n = len(val)
i = 0
while i < n:
v = val[i]
if isinstance(v, str):
new_list.append({'__base64__' : base64.b64encode(v)})
else:
new_list.append(json_encode_binary(v))
i += 1
del val
return new_list
elif isinstance(val, str):
return {'__base64__' : base64.b64encode(val)}
else:
return val
def json_decode_binary(val):
'''
JSON cannot transport binary data. In order to transport binary data we
convert binary data to a form like this:
{'__base64__' : base64_encoding_of_binary_value}
see json_encode_binary()
After JSON had decoded the JSON stream back into a Python object we must
recursively scan the object looking for any dicts which might represent
binary values and replace the dict containing the base64 encoding of the
binary value with the decoded binary value. Unlike the encoding problem
where the input might consist of immutable object, all JSON decoded
container are mutable so the conversion could be done in place. However we
don't modify objects in place because of side effects which may be
dangerous. Thus we elect to spend a few more cycles and avoid the
possibility of unintended side effects in favor of robustness.
'''
if isinstance(val, dict):
if val.has_key('__base64__'):
return base64.b64decode(val['__base64__'])
else:
new_dict = {}
for k,v in val.items():
if isinstance(v, dict) and v.has_key('__base64__'):
new_dict[k] = base64.b64decode(v['__base64__'])
else:
new_dict[k] = json_decode_binary(v)
del val
return new_dict
elif isinstance(val, list):
new_list = []
n = len(val)
i = 0
while i < n:
v = val[i]
if isinstance(v, dict) and v.has_key('__base64__'):
binary_val = base64.b64decode(v['__base64__'])
new_list.append(binary_val)
else:
new_list.append(json_decode_binary(v))
i += 1
del val
return new_list
else:
return val
class jsonserver(WSGIExecutioner):
"""
JSON RPC server.
For information on the JSON-RPC spec, see:
http://json-rpc.org/wiki/specification
"""
content_type = 'application/json'
key = 'json'
def marshal(self, result, error, _id=None):
if error:
assert isinstance(error, PublicError)
error = dict(
code=error.errno,
message=error.strerror,
name=error.__class__.__name__,
kw=dict(error.kw),
)
response = dict(
result=result,
error=error,
id=_id,
)
response = json_encode_binary(response)
return json.dumps(response, sort_keys=True, indent=4)
def unmarshal(self, data):
try:
d = json.loads(data)
except ValueError, e:
raise JSONError(error=e)
if not isinstance(d, dict):
raise JSONError(error='Request must be a dict')
if 'method' not in d:
raise JSONError(error='Request is missing "method"')
if 'params' not in d:
raise JSONError(error='Request is missing "params"')
d = json_decode_binary(d)
method = d['method']
params = d['params']
_id = d.get('id')
if not isinstance(params, (list, tuple)):
raise JSONError(error='params must be a list')
if len(params) != 2:
raise JSONError(
error='params must contain [args, options]'
)
args = params[0]
if not isinstance(args, (list, tuple)):
raise JSONError(
error='params[0] (aka args) must be a list'
)
options = params[1]
if not isinstance(options, dict):
raise JSONError(
error='params[1] (aka options) must be a dict'
)
options = dict((str(k), v) for (k, v) in options.iteritems())
return (method, args, options, _id)
Reference in New Issue View Git Blame Copy Permalink