Imported Upstream version 4.7.2
This commit is contained in:
Mario Fetka
@@ -19,64 +19,51 @@
|
||||
"""
|
||||
Password migration script
|
||||
"""
|
||||
from __future__ import absolute_import
|
||||
|
||||
import cgi
|
||||
import errno
|
||||
import glob
|
||||
from wsgiref.util import request_uri
|
||||
import logging
|
||||
import os.path
|
||||
|
||||
from ipapython.ipa_log_manager import root_logger
|
||||
from ipapython.ipautil import get_ipa_basedn
|
||||
from ipapython.dn import DN
|
||||
from ipapython.ipaldap import IPAdmin
|
||||
from ipalib import errors
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.dn import DN
|
||||
from ipapython import ipaldap
|
||||
from ipalib import errors, create_api
|
||||
|
||||
logger = logging.getLogger(os.path.basename(__file__))
|
||||
|
||||
|
||||
def bad_request(start_response):
|
||||
"""
|
||||
Return a 400 Bad Request error.
|
||||
"""
|
||||
status = '400 Bad Request'
|
||||
response_headers = []
|
||||
response = b''
|
||||
|
||||
start_response(status, response_headers)
|
||||
return [response]
|
||||
|
||||
def wsgi_redirect(start_response, loc):
|
||||
start_response('302 Found', [('Location', loc)])
|
||||
return []
|
||||
|
||||
def get_ui_url(environ):
|
||||
full_url = request_uri(environ)
|
||||
index = full_url.rfind(environ.get('SCRIPT_NAME',''))
|
||||
if index == -1:
|
||||
raise ValueError('Cannot strip the script URL from full URL "%s"' % full_url)
|
||||
return full_url[:index] + "/ipa/ui"
|
||||
|
||||
|
||||
def get_base_dn(ldap_uri):
|
||||
"""
|
||||
Retrieve LDAP server base DN.
|
||||
"""
|
||||
try:
|
||||
conn = IPAdmin(ldap_uri=ldap_uri)
|
||||
conn.do_simple_bind(DN(), '')
|
||||
base_dn = get_ipa_basedn(conn)
|
||||
except Exception, e:
|
||||
root_logger.error('migration context search failed: %s' % e)
|
||||
return ''
|
||||
finally:
|
||||
conn.unbind()
|
||||
|
||||
return base_dn
|
||||
|
||||
|
||||
def bind(ldap_uri, base_dn, username, password):
|
||||
if not base_dn:
|
||||
root_logger.error('migration unable to get base dn')
|
||||
logger.error('migration unable to get base dn')
|
||||
raise IOError(errno.EIO, 'Cannot get Base DN')
|
||||
bind_dn = DN(('uid', username), ('cn', 'users'), ('cn', 'accounts'), base_dn)
|
||||
try:
|
||||
conn = IPAdmin(ldap_uri=ldap_uri)
|
||||
conn.do_simple_bind(bind_dn, password)
|
||||
except (errors.ACIError, errors.DatabaseError, errors.NotFound), e:
|
||||
root_logger.error(
|
||||
'migration invalid credentials for %s: %s' % (bind_dn, e))
|
||||
conn = ipaldap.LDAPClient(ldap_uri)
|
||||
conn.simple_bind(bind_dn, password)
|
||||
except (errors.ACIError, errors.DatabaseError, errors.NotFound) as e:
|
||||
logger.error(
|
||||
'migration invalid credentials for %s: %s', bind_dn, e)
|
||||
raise IOError(
|
||||
errno.EPERM, 'Invalid LDAP credentials for user %s' % username)
|
||||
except Exception, e:
|
||||
root_logger.error('migration bind failed: %s' % e)
|
||||
except Exception as e:
|
||||
logger.error('migration bind failed: %s', e)
|
||||
raise IOError(errno.EIO, 'Bind error')
|
||||
finally:
|
||||
conn.unbind()
|
||||
@@ -86,26 +73,32 @@ def application(environ, start_response):
|
||||
if environ.get('REQUEST_METHOD', None) != 'POST':
|
||||
return wsgi_redirect(start_response, 'index.html')
|
||||
|
||||
content_type = environ.get('CONTENT_TYPE', '').lower()
|
||||
if not content_type.startswith('application/x-www-form-urlencoded'):
|
||||
return bad_request(start_response)
|
||||
|
||||
form_data = cgi.FieldStorage(fp=environ['wsgi.input'], environ=environ)
|
||||
if not form_data.has_key('username') or not form_data.has_key('password'):
|
||||
return wsgi_redirect(start_response, 'invalid.html')
|
||||
if 'username' not in form_data or 'password' not in form_data:
|
||||
return bad_request(start_response)
|
||||
|
||||
slapd_sockets = glob.glob(paths.ALL_SLAPD_INSTANCE_SOCKETS)
|
||||
if slapd_sockets:
|
||||
ldap_uri = 'ldapi://%s' % slapd_sockets[0].replace('/', '%2f')
|
||||
else:
|
||||
ldap_uri = 'ldaps://localhost:636'
|
||||
|
||||
base_dn = get_base_dn(ldap_uri)
|
||||
status = '200 Success'
|
||||
response_headers = []
|
||||
result = 'error'
|
||||
response = b''
|
||||
|
||||
# API object only for configuration, finalize() not needed
|
||||
api = create_api(mode=None)
|
||||
api.bootstrap(context='server', confdir=paths.ETC_IPA, in_server=True)
|
||||
try:
|
||||
bind(ldap_uri, base_dn,
|
||||
bind(api.env.ldap_uri, api.env.basedn,
|
||||
form_data['username'].value, form_data['password'].value)
|
||||
except IOError as err:
|
||||
if err.errno == errno.EPERM:
|
||||
return wsgi_redirect(start_response, 'invalid.html')
|
||||
result = 'invalid-password'
|
||||
if err.errno == errno.EIO:
|
||||
return wsgi_redirect(start_response, 'error.html')
|
||||
|
||||
ui_url = get_ui_url(environ)
|
||||
return wsgi_redirect(start_response, ui_url)
|
||||
result = 'migration-error'
|
||||
else:
|
||||
result = 'ok'
|
||||
response_headers.append(('X-IPA-Migrate-Result', result))
|
||||
start_response(status, response_headers)
|
||||
return [response]
|
||||
|
||||
Reference in New Issue
Block a user