freeipa/ipalib/rpc.py
Rob Crittenden bb09db2228 Explicitly set verbosity off in the XML-RPC client
This is so I don't have to hunt for where to set this to True when doing
low-level client debugging.
2009-09-14 09:46:42 -04:00

424 lines
14 KiB
Python

# Authors:
# Jason Gerard DeRose <jderose@redhat.com>
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; version 2 only
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
"""
RPC client and shared RPC client/server functionality.
This module adds some additional functionality on top of the ``xmlrpclib``
module in the Python standard library. For documentation on the
``xmlrpclib`` module, see:
http://docs.python.org/library/xmlrpclib.html
Also see the `ipaserver.rpcserver` module.
"""
from types import NoneType
import threading
import socket
import os
import errno
from xmlrpclib import Binary, Fault, dumps, loads, ServerProxy, Transport, ProtocolError
import kerberos
from ipalib.backend import Connectible
from ipalib.errors import public_errors, PublicError, UnknownError, NetworkError
from ipalib import errors
from ipalib.request import context
from ipapython import ipautil
from OpenSSL import SSL
import httplib
try:
from httplib import SSLFile
from httplib import FakeSocket
except ImportError:
from ipapython.ipasslfile import SSLFile
from ipapython.ipasslfile import FakeSocket
# Some Kerberos error definitions from krb5.h
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN = (-1765328377L)
KRB5KRB_AP_ERR_TKT_EXPIRED = (-1765328352L)
KRB5_FCC_PERM = (-1765328190L)
KRB5_FCC_NOFILE = (-1765328189L)
KRB5_CC_FORMAT = (-1765328185L)
KRB5_REALM_CANT_RESOLVE = (-1765328164L)
def xml_wrap(value):
"""
Wrap all ``str`` in ``xmlrpclib.Binary``.
Because ``xmlrpclib.dumps()`` will itself convert all ``unicode`` instances
into UTF-8 encoded ``str`` instances, we don't do it here.
So in total, when encoding data for an XML-RPC packet, the following
transformations occur:
* All ``str`` instances are treated as binary data and are wrapped in
an ``xmlrpclib.Binary()`` instance.
* Only ``unicode`` instances are treated as character data. They get
converted to UTF-8 encoded ``str`` instances (although as mentioned,
not by this function).
Also see `xml_unwrap()`.
:param value: The simple scalar or simple compound value to wrap.
"""
if type(value) in (list, tuple):
return tuple(xml_wrap(v) for v in value)
if type(value) is dict:
return dict(
(k, xml_wrap(v)) for (k, v) in value.iteritems()
)
if type(value) is str:
return Binary(value)
assert type(value) in (unicode, int, float, bool, NoneType)
return value
def xml_unwrap(value, encoding='UTF-8'):
"""
Unwrap all ``xmlrpc.Binary``, decode all ``str`` into ``unicode``.
When decoding data from an XML-RPC packet, the following transformations
occur:
* The binary payloads of all ``xmlrpclib.Binary`` instances are
returned as ``str`` instances.
* All ``str`` instances are treated as UTF-8 encoded Unicode strings.
They are decoded and the resulting ``unicode`` instance is returned.
Also see `xml_wrap()`.
:param value: The value to unwrap.
:param encoding: The Unicode encoding to use (defaults to ``'UTF-8'``).
"""
if type(value) in (list, tuple):
return tuple(xml_unwrap(v, encoding) for v in value)
if type(value) is dict:
return dict(
(k, xml_unwrap(v, encoding)) for (k, v) in value.iteritems()
)
if type(value) is str:
return value.decode(encoding)
if isinstance(value, Binary):
assert type(value.data) is str
return value.data
assert type(value) in (unicode, int, float, bool, NoneType)
return value
def xml_dumps(params, methodname=None, methodresponse=False, encoding='UTF-8'):
"""
Encode an XML-RPC data packet, transparently wraping ``params``.
This function will wrap ``params`` using `xml_wrap()` and will
then encode the XML-RPC data packet using ``xmlrpclib.dumps()`` (from the
Python standard library).
For documentation on the ``xmlrpclib.dumps()`` function, see:
http://docs.python.org/library/xmlrpclib.html#convenience-functions
Also see `xml_loads()`.
:param params: A ``tuple`` or an ``xmlrpclib.Fault`` instance.
:param methodname: The name of the method to call if this is a request.
:param methodresponse: Set this to ``True`` if this is a response.
:param encoding: The Unicode encoding to use (defaults to ``'UTF-8'``).
"""
if type(params) is tuple:
params = xml_wrap(params)
else:
assert isinstance(params, Fault)
return dumps(params,
methodname=methodname,
methodresponse=methodresponse,
encoding=encoding,
allow_none=True,
)
def decode_fault(e, encoding='UTF-8'):
assert isinstance(e, Fault)
if type(e.faultString) is str:
return Fault(e.faultCode, e.faultString.decode(encoding))
return e
def xml_loads(data, encoding='UTF-8'):
"""
Decode the XML-RPC packet in ``data``, transparently unwrapping its params.
This function will decode the XML-RPC packet in ``data`` using
``xmlrpclib.loads()`` (from the Python standard library). If ``data``
contains a fault, ``xmlrpclib.loads()`` will itself raise an
``xmlrpclib.Fault`` exception.
Assuming an exception is not raised, this function will then unwrap the
params in ``data`` using `xml_unwrap()`. Finally, a
``(params, methodname)`` tuple is returned containing the unwrapped params
and the name of the method being called. If the packet contains no method
name, ``methodname`` will be ``None``.
For documentation on the ``xmlrpclib.loads()`` function, see:
http://docs.python.org/library/xmlrpclib.html#convenience-functions
Also see `xml_dumps()`.
:param data: The XML-RPC packet to decode.
"""
try:
(params, method) = loads(data)
return (xml_unwrap(params), method)
except Fault, e:
raise decode_fault(e)
class SSLTransport(Transport):
"""Handles an HTTPS transaction to an XML-RPC server."""
def make_connection(self, host):
host, extra_headers, x509 = self.get_host_info(host)
return SSLSocket(host, None, **(x509 or {}))
class SSLFile(SSLFile):
"""
Override the _read method so we can handle PyOpenSSL errors
gracefully.
"""
def _read(self):
buf = ''
while True:
try:
buf = self._ssl.read(self._bufsize)
except SSL.ZeroReturnError:
# Nothing more to be read
break
except SSL.SysCallError, e:
print "SSL exception", e.args
break
except SSL.WantWriteError:
break
except SSL.WantReadError:
break
except socket.error, err:
if err[0] == errno.EINTR:
continue
if err[0] == errno.EBADF:
# XXX socket was closed?
break
raise
else:
break
return buf
class FakeSocket(FakeSocket):
"""
Override this class so we can end up using our own SSLFile
implementation.
"""
def makefile(self, mode, bufsize=None):
if mode != 'r' and mode != 'rb':
raise httplib.UnimplementedFileMode()
return SSLFile(self._shared, self._ssl, bufsize)
class SSLConnection(httplib.HTTPConnection):
"""
Use OpenSSL as the SSL provider instead of the built-in python SSL
support. The built-in SSL client doesn't do CA validation.
By default we will attempt to load the ca-bundle.crt and our own
IPA CA for validation purposes. To add an additional CA to verify
against set the x509['ca_file'] to the path of the CA PEM file in
KerbTransport.get_host_info
"""
default_port = httplib.HTTPSConnection.default_port
def verify_callback(self, conn, cert, errnum, depth, ok):
"""
Verify callback. If we get here then the certificate is ok.
"""
return ok
def __init__(self, host, port=None, key_file=None, cert_file=None,
ca_file=None, strict=None):
httplib.HTTPConnection.__init__(self, host, port, strict)
self.key_file = key_file
self.cert_file = cert_file
self.ca_file = ca_file
def connect(self):
ctx = SSL.Context(SSL.SSLv23_METHOD)
ctx.set_verify(SSL.VERIFY_PEER, self.verify_callback)
if self.key_file:
ctx.use_privatekey_file (self.key_file)
if self.cert_file:
ctx.use_certificate_file(self.cert_file)
if os.path.exists("/etc/pki/tls/certs/ca-bundle.crt"):
ctx.load_verify_locations("/etc/pki/tls/certs/ca-bundle.crt")
if os.path.exists("/etc/ipa/ca.crt"):
ctx.load_verify_locations("/etc/ipa/ca.crt")
if self.ca_file is not None and os.path.exists(self.ca_file):
ctx.load_verify_locations(self.ca_file)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl = SSL.Connection(ctx, sock)
ssl.connect((self.host, self.port))
ssl.do_handshake()
self.sock = FakeSocket(sock, ssl)
class SSLSocket(httplib.HTTP):
"""
This is more or less equivalent to the httplib.HTTPS class, we juse
use our own connection provider.
"""
_connection_class = SSLConnection
def __init__(self, host='', port=None, key_file=None, cert_file=None,
ca_file=None, strict=None):
# provide a default host, pass the X509 cert info
# urf. compensate for bad input.
if port == 0:
port = None
self._setup(self._connection_class(host, port, key_file,
cert_file, ca_file, strict))
# we never actually use these for anything, but we keep them
# here for compatibility with post-1.5.2 CVS.
self.key_file = key_file
self.cert_file = cert_file
self.ca_file = ca_file
class KerbTransport(SSLTransport):
"""
Handles Kerberos Negotiation authentication to an XML-RPC server.
"""
def _handle_exception(self, e, service=None):
(major, minor) = ipautil.get_gsserror(e)
if minor[1] == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
raise errors.ServiceError(service=service)
elif minor[1] == KRB5_FCC_NOFILE:
raise errors.NoCCacheError()
elif minor[1] == KRB5KRB_AP_ERR_TKT_EXPIRED:
raise errors.TicketExpired()
elif minor[1] == KRB5_FCC_PERM:
raise errors.BadCCachePerms()
elif minor[1] == KRB5_CC_FORMAT:
raise errors.BadCCacheFormat()
elif minor[1] == KRB5_REALM_CANT_RESOLVE:
raise errors.CannotResolveKDC()
else:
raise errors.KerberosError(major=major, minor=minor)
def get_host_info(self, host):
(host, extra_headers, x509) = SSLTransport.get_host_info(self, host)
# Set the remote host principal
service = "HTTP@" + host.split(':')[0]
try:
(rc, vc) = kerberos.authGSSClientInit(service,
kerberos.GSS_C_DELEG_FLAG |
kerberos.GSS_C_MUTUAL_FLAG |
kerberos.GSS_C_SEQUENCE_FLAG)
except kerberos.GSSError, e:
self._handle_exception(e)
try:
kerberos.authGSSClientStep(vc, "")
except kerberos.GSSError, e:
self._handle_exception(e, service=service)
extra_headers = [
('Authorization', 'negotiate %s' % kerberos.authGSSClientResponse(vc))
]
return (host, extra_headers, x509)
class xmlclient(Connectible):
"""
Forwarding backend plugin for XML-RPC client.
Also see the `ipaserver.rpcserver.xmlserver` plugin.
"""
def __init__(self):
super(xmlclient, self).__init__()
self.__errors = dict((e.errno, e) for e in public_errors)
def create_connection(self, ccache=None):
kw = dict(allow_none=True, encoding='UTF-8')
if self.env.xmlrpc_uri.startswith('https://'):
kw['transport'] = KerbTransport()
kw['verbose'] = False
return ServerProxy(self.env.xmlrpc_uri, **kw)
def destroy_connection(self):
pass
def forward(self, name, *args, **kw):
"""
Forward call to command named ``name`` over XML-RPC.
This method will encode and forward an XML-RPC request, and will then
decode and return the corresponding XML-RPC response.
:param command: The name of the command being forwarded.
:param args: Positional arguments to pass to remote command.
:param kw: Keyword arguments to pass to remote command.
"""
if name not in self.Command:
raise ValueError(
'%s.forward(): %r not in api.Command' % (self.name, name)
)
self.info('Forwarding %r to server %r', name, self.env.xmlrpc_uri)
command = getattr(self.conn, name)
params = args + (kw,)
try:
response = command(*xml_wrap(params))
return xml_unwrap(response)
except Fault, e:
e = decode_fault(e)
self.debug('Caught fault %d from server %s: %s', e.faultCode,
self.env.xmlrpc_uri, e.faultString)
if e.faultCode in self.__errors:
error = self.__errors[e.faultCode]
raise error(message=e.faultString)
raise UnknownError(
code=e.faultCode,
error=e.faultString,
server=self.env.xmlrpc_uri,
)
except socket.error, e:
raise NetworkError(uri=self.env.xmlrpc_uri, error=e.args[1])
except ProtocolError, e:
raise NetworkError(uri=self.env.xmlrpc_uri, error=e.errmsg)