Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/pynslcd/passwd.py
blob: 1274f21df996f62e57b7dab75e994bfdd58a45f4 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155


# passwd.py - lookup functions for user account information
#
# Copyright (C) 2010-2019 Arthur de Jong
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
# 02110-1301 USA

import logging

import cache
import cfg
import common
import constants
import search


attmap = common.Attributes(
    uid='uid',
    userPassword='"*"',
    uidNumber='uidNumber',
    gidNumber='gidNumber',
    gecos='"${gecos:-$cn}"',
    homeDirectory='homeDirectory',
    loginShell='loginShell',
    objectClass='objectClass')
filter = '(objectClass=posixAccount)'


class Search(search.LDAPSearch):

    case_sensitive = ('uid', 'uidNumber')
    limit_attributes = ('uid', 'uidNumber')
    required = (
        'uid', 'uidNumber', 'gidNumber', 'gecos', 'homeDirectory',
        'loginShell')

    def mk_filter(self):
        if 'uidNumber' in self.parameters:
            self.parameters['uidNumber'] -= cfg.nss_uid_offset
        return super(Search, self).mk_filter()


class Cache(cache.Cache):

    create_sql = '''
        CREATE TABLE IF NOT EXISTS `passwd_cache`
          ( `uid` TEXT PRIMARY KEY,
            `userPassword` TEXT,
            `uidNumber` INTEGER NOT NULL UNIQUE,
            `gidNumber` INTEGER NOT NULL,
            `gecos` TEXT,
            `homeDirectory` TEXT,
            `loginShell` TEXT,
            `mtime` TIMESTAMP NOT NULL );
    '''


class PasswdRequest(common.Request):

    def write(self, name, passwd, uid, gid, gecos, home, shell):
        self.fp.write_string(name)
        self.fp.write_string(passwd)
        self.fp.write_int32(uid)
        self.fp.write_int32(gid)
        self.fp.write_string(gecos)
        self.fp.write_string(home)
        self.fp.write_string(shell)

    def convert(self, dn, attributes, parameters):
        names = attributes['uid']
        if 'shadowAccount' in attributes['objectClass']:
            passwd = 'x'
        else:
            try:
                passwd = attributes['userPassword'][0]
            except IndexError:
                passwd = None
            if not passwd or self.calleruid != 0:
                passwd = '*'
        uids = [int(x) + cfg.nss_uid_offset for x in attributes['uidNumber']]
        gid = int(attributes['gidNumber'][0]) + cfg.nss_gid_offset
        gecos = attributes['gecos'][0]
        home = attributes['homeDirectory'][0]
        shell = attributes['loginShell'][0]
        for name in names:
            if not common.is_valid_name(name):
                logging.warning('%s: %s: denied by validnames option', dn, attmap['uid'])
            else:
                for uid in uids:
                    if uid >= cfg.nss_min_uid:
                        yield (name, passwd, uid, gid, gecos, home, shell)


class PasswdByNameRequest(PasswdRequest):

    action = constants.NSLCD_ACTION_PASSWD_BYNAME

    def read_parameters(self, fp):
        name = fp.read_string()
        common.validate_name(name)
        return dict(uid=name)


class PasswdByUidRequest(PasswdRequest):

    action = constants.NSLCD_ACTION_PASSWD_BYUID

    def read_parameters(self, fp):
        return dict(uidNumber=fp.read_int32())

    def handle_request(self, parameters):
        # check requested numeric id
        if parameters['uidNumber'] >= cfg.nss_min_uid:
            return super(PasswdByUidRequest, self).handle_request(parameters)
        # write the final result code to signify empty results
        self.fp.write_int32(constants.NSLCD_RESULT_END)


class PasswdAllRequest(PasswdRequest):

    action = constants.NSLCD_ACTION_PASSWD_ALL

    def handle_request(self, parameters):
        if not cfg.nss_disable_enumeration:
            return super(PasswdAllRequest, self).handle_request(parameters)


def uid2entry(conn, uid):
    """Look up the user by uid and return the LDAP entry or None."""
    for dn, attributes in Search(conn, parameters=dict(uid=uid)):
        if any((int(x) + cfg.nss_uid_offset) >= cfg.nss_min_uid for x in attributes['uidNumber']):
            return dn, attributes


# FIXME: use cache of dn2uid and try to use DN to get uid attribute


def dn2uid(conn, dn):
    """Look up the user by dn and return a uid or None."""
    for dn, attributes in Search(conn, base=dn):
        if any((int(x) + cfg.nss_uid_offset) >= cfg.nss_min_uid for x in attributes['uidNumber']):
            return attributes['uid'][0]