HEX

File: //proc/self/root/lib/python3.9/site-packages/ipaclient/__pycache__/discovery.cpython-39.opt-1.pyc
a

}�f;]�@sTddlmZddlZddlZddlmZddlmZddlm	Z	ddl
mZddlm
Z
ddlmZmZdd	lmZdd
lmZmZddlmZzddlZWney�dZYn0ddlmZe�e�ZdZd
Z dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(dZ)ede de!de"de#de$de%de&de'de(d i
Z*d!d"�Z+Gd#d$�d$�Z,d%d&�Z-ed'k�rPe-�dS)(�)�absolute_importN)�	rdatatype)�DNSException)�errors)�FQDN)�validate_domain_name)�	query_srv�resolve)�paths)�valid_ip�realm_to_suffix)�DN)�ipaldap���������������i����i����i����i�zipa v2.0ZSuccess�NOT_FQDN�NO_LDAP_SERVER�REALM_NOT_FOUND�NOT_IPA_SERVER�NO_ACCESS_TO_LDAP�NO_TLS_LDAP�PYTHON_LDAP_NOT_INSTALLED�BAD_HOST_CONFIG�
UNKNOWN_ERRORc	Cs|jt�ddgd�}dd�|jdD�}d|vrd|jd\}|�d�}||vrX|�|�|�d|�|D]�}t�d|�z|�t|�|j	d	�\}Wn"t
jy�t�d
�YqhYn0|jd\}|�d���}|t
kr�t�d|t
�qht�d
|�t|�SdS)z�
    Get base DN of IPA suffix in given LDAP server.

    None is returned if the suffix is not found

    :param conn: Bound LDAPClient that will be used for searching
    ZdefaultnamingcontextZnamingcontexts)Z
attrs_listcSsg|]}|�d��qS)�utf-8)�decode)�.0�c�r!�7/usr/lib/python3.9/site-packages/ipaclient/discovery.py�
<listcomp>T�z"get_ipa_basedn.<locals>.<listcomp>rrz'Check if naming context '%s' is for IPAz(info=IPA*)zBLDAP server did not return info attribute to check for IPA version�infoz>Detected IPA server version (%s) did not match the client (%s)z*Naming context '%s' is a valid IPA contextN)Z	get_entryr
�rawr�remove�insert�logger�debug�get_entriesZ
SCOPE_BASEr�NotFound�lower�IPA_BASEDN_INFO)Zconn�entryZcontexts�default�contextr%r!r!r"�get_ipa_basednIs<
�

�


�r2c@s~eZdZdd�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dd�Z
ddd�Zddd�Zd dd�Z
d!dd�Zd"dd�ZdS)#�IPADiscoverycCs:d|_d|_d|_g|_d|_d|_d|_d|_d|_dS�N)	�realm�domain�server�servers�basedn�realm_source�
domain_source�
server_source�
basedn_source��selfr!r!r"�__init__tszIPADiscovery.__init__cCs�g}d}z�ttjd��}|��}Wd�n1s40Y|D]R}|���d�rf|��ddf}qB|���d�rB|�dd�|��d	d�D��qBWnty�Yn0|r�|g|}|S)
z�Read /etc/resolv.conf and return all domains

        Returns a list of (domain, info) pairs. The info contains a reason
         why the domain is returned.
        N�rr6rz"local domain from /etc/resolv.conf�searchcss|]}|dfVqdS)z#search domain from /etc/resolv.confNr!)r�dr!r!r"�	<genexpr>�s�z6IPADiscovery.__get_resolver_domains.<locals>.<genexpr>�)	�openr
ZRESOLV_CONF�	readlinesr-�
startswith�split�extend�	Exception)r?�domainsr6�f�lines�liner!r!r"Z__get_resolver_domains�s&&
�
�
z#IPADiscovery.__get_resolver_domainscCs|jSr4)r7r>r!r!r"�
getServerName�szIPADiscovery.getServerNamecCs|jSr4)r6r>r!r!r"�
getDomainName�szIPADiscovery.getDomainNamecCs|jSr4)r5r>r!r!r"�getRealmName�szIPADiscovery.getRealmNamecCs|jSr4)�kdcr>r!r!r"�
getKDCName�szIPADiscovery.getKDCNamecCs|jSr4)r9r>r!r!r"�	getBaseDN�szIPADiscovery.getBaseDNcCs�d}t�d||�|s|||vr,t�d|�q||�|�|j|dddd�}|rT||fS|�d�}|d	krjd
S||dd�}qd
S)a�
        Given a domain search it for SRV records, breaking it down to search
        all subdomains too.

        Returns a tuple (servers, domain) or (None,None) if a SRV record
        isn't found. servers is a list of servers found. domain is a string.

        :param tried: A set of domains that were tried already
        :param reason: Reason this domain is searched (included in the log)
        NzDStart searching for LDAP SRV record in "%s" (%s) and its sub-domainszAlready searched %s; skipping�
_ldap._tcp�F��break_on_first�.r)NNrE)r)r*�add�ipadns_search_srv�find)r?r6�tried�reasonr8�pr!r!r"�check_domain�s&�

�
zIPADiscovery.check_domain�NcCs^t�d�t�d|||�d|_d}|�s�|�sF|sDt}t�d|�|sLtSt|�rXtS|�d�}|dkrntS||dd�}|��}|d	fg|}t	�}	|D]�\}}
zt
|�Wn>ty�}z&t�d
||�WYd}~q�WYd}~n
d}~00|�||	|
�\}}|r�d}||_
d||
f|_|_�q.q�|j
�s�t�d
�tSnTt�d|�|j|dddd�}|�r�d}||_
d||_|_nd|_t�d
�tSnt�d�||_
d|_|_t�d�|�r�t�d�||_d|_n|��}||_d|j
|_|�s
|�s
tS|�r(|��|_d|j
|_nd�|�|_d|_tg}d}
t�d�g}|D�]<}t�d||j�|j||j|d�}|dtk�rzt
|ddd �Wn>t�y�}z$t�d!|d|�tg}WYd}~nFd}~00|d|_|d|_d"|j|_|_|�|�|�r��q�nt|dttt fv�rNd}
|�|�|�r��q�nD|dtk�rjt�!d#|�n(|dtk�r�t�!d$|�nt�!d%|��qV|
�s�|jdu�r�|j
�"�|_d&|_t�d'|j�|
�s�|j#du�r�t$|j�|_#d(|_%t�d)|j#�t�d*t&�'|d|d�|j|j
|j|j#�t�d+d,�|��||_(|�rV|d|_t|d<|dS)-a

        Use DNS discovery to identify valid IPA servers.

        servers may contain an optional list of servers which will be used
        instead of discovering available LDAP SRV records.

        Returns a constant representing the overall search result.
        z[IPA Discovery]z>Starting IPA discovery with domain=%s, servers=%s, hostname=%sNFzHostname: %srZrrEzdomain of the hostnamez!Skipping invalid domain '%s' (%s)Tz(Discovered LDAP SRV records from %s (%s)zNo LDAP server foundz Search for LDAP SRV record in %srVrWrXz#Discovered LDAP SRV records from %szServer and domain forcedZForcedz[Kerberos realm search]zKerberos realm forcedz'Discovered Kerberos DNS records from %sz, z&Kerberos DNS record discovery bypassedz[LDAP server check]z-Verifying that %s (realm %s) is an IPA server��ca_cert_pathr�r5�Zentity� Skipping invalid realm '%s' (%s)z&Discovered from LDAP DNS records in %szSkip %s: not an IPA serverzQSkip %s: LDAP server is not responding, unable to verify if this is an IPA serverz/Skip %s: cannot verify if this is an IPA serverzAssumed same as domainz(Assuming realm is the same as domain: %szGenerated from Kerberos realmzGenerated basedn from realm: %sz=Discovery result: %s; server=%s, domain=%s, kdc=%s, basedn=%szValidated servers: %s�,))r)r*r7rrrrr]�#_IPADiscovery__get_resolver_domains�setr�
ValueErrorrar6r<r;rr\r5r:�ipadnssearchkrbrealmr�ipadnssearchkrbkdcrSZ
kdc_source�joinr�ipacheckldap�SUCCESS�appendrrrZwarning�upperr9rr=�error_names�getr8)r?r6r8r5�hostnamerdZautodiscoveredr`rLr^r_�eZldapretZ
ldapaccessZ
valid_serversr7r!r!r"rB�s

�
�"��


��



�
�

���

�


�
���
��
zIPADiscovery.searchc
Cs.tdurtgSg}�z t�|�}d}|r,d}t�d|�tj|||ddd�}z$|�t�d�t�d�t|�}Wn�t	j
y�t�d�tgYWSt	j�y}	zTt�
d	|	j�|dur�t�d
�tgWYd}	~	WStgWYd}	~	WSWYd}	~	n
d}	~	00|du�r"t�d�tgWS||_d|j|_t�d
|j�z|�td|j�|jd�}
Wnt	j�y|tgYWS0|
D]<}t�d|j�|jd\}tj�r�|�d�}|�|��q�|�r|D] }
||
k�r�t||gWS�q�t�d|�tgWSt |�dk�r t�d�tgWSt||dgWSW�n�t	j!�yZt�d�t"gYSt	j#�y�}	z t�d|	j�t"gWYd}	~	Sd}	~	0t	j
�y�t�d�tgYSt	j�y�}	z t�d	|	j�tgWYd}	~	Sd}	~	0t$�y(}	zt�d	|	�tgWYd}	~	Sd}	~	00dS)a-
        Given a host and kerberos realm verify that it is an IPA LDAP
        server hosting the realm.

        Returns a list [errno, host, realm] or an empty list on error.
        Errno is an error number:
            0 means all ok
            negative number means something went wrong
        NFTzInit LDAP connection to: %s)Zcacert�	start_tlsZ	no_schemaZdecode_attrsrbz"Search LDAP server for IPA base DNz(LDAP Error: Anonymous access not allowedzError checking LDAP: %sz?Cannot connect to LDAP server. Check that minssf is not enabledzThe server is not an IPA serverzFrom IPA server %sz6Search for (objectClass=krbRealmContainer) in %s (sub))�cnZkerberosz(objectClass=krbRealmContainer)z	Found: %srxrz2Realm %s does not match any realm in LDAP databaserEzYMultiple realms found, cannot decide which realm is the correct realm without working DNSrzLDAP Error: timeoutzLDAP Error: %s)%rrZget_ldap_urir)r*Z
LDAPClientZsimple_bindr
r2rZACIErrorrZ
DatabaseError�error�strerrorrrrr9�ldap_urir=r+Z
SCOPE_SUBTREEr,rZdnr&�sixZPY3rrqrp�lenZDatabaseTimeoutrZNetworkErrorrK)r?ZthostZtrealmrdZlrealmsr{rwZlhr9�errZlretZlresrxrAr!r!r"ro�s�

�

�*

�
�

��



zIPADiscovery.ipacheckldapTc
Cs�g}d||f}t�d|�zt|�}Wn8ty`}z t�d|jj�g}WYd}~n
d}~00|D]h}	t�d|	�t|	j��d�}
|
s�t�d|	�qf|dur�|	j	|kr�d|
t|	j	�f}
|�
|
�|rfq�qf|S)	a_
        Search for SRV records in given domain. When no record is found,
        en empty list is returned

        :param domain: Search domain name
        :param srv_record_name: SRV record name, e.g. "_ldap._tcp"
        :param default_port: When default_port is not None, it is being
                    checked with the port in SRV record and if they don't
                    match, the port from SRV record is appended to
                    found hostname in this format: "hostname:port"
        :param break_on_first: break on the first find and return just one
                    entry
        z%s.%szSearch DNS for SRV record of %s�DNS record not found: %sN�DNS record found: %srZz-Cannot parse the hostname from SRV record: %sz%s:%s)r)r*rr�	__class__�__name__�str�target�rstrip�portrq)r?r6Zsrv_record_nameZdefault_portrYr8�qname�answersrv�answerr7r!r!r"r\�s,�
zIPADiscovery.ipadns_search_srvcCs<|s
|j}d|}t�d|�zt|tj�}Wn8tyf}z t�d|jj�g}WYd}~n
d}~00d}|D]�}t�d|�|j	rpz|j	d�
d�}Wn<ty�}z$t�d|�WYd}~qpWYd}~n
d}~00|rpzt|d	d
�Wn@t
�y,}z&t�d||�WYd}~qpWYd}~n
d}~00|SqpdS)z�
        :param domain: Domain to be searched in
        :returns: string of a realm found in a TXT record
                  None if no realm was found
        z
_kerberos.zSearch DNS for TXT record of %srNr�rrz+A TXT record cannot be decoded as UTF-8: %sr5rfrg)r6r)r*r	rZTXTrr�r��stringsr�UnicodeDecodeErrorrrk)r?r6r�r�rvr5r�r!r!r"rl's<�"�"
z!IPADiscovery.ipadnssearchkrbrealmcCs@|s
|j}|j|dddd�}|r,d�|�}nt�d|�d}|S)Nz_kerberos._udp�XFrXrhz(SRV record for KDC not found! Domain: %s)r6r\rnr)r*)r?r6rSr!r!r"rmOs
�zIPADiscovery.ipadnssearchkrbkdc)rbrbNNN)N)T)N)N)r��
__module__�__qualname__r@rirPrQrRrTrUrarBror\rlrmr!r!r!r"r3rs"!�
E
p�
)
(r3c	Csddl}ddl}ddlm}|�t�}|j�tj	�r<tj	}nd}|j
d|d�|j
ddd�|�
d�|��}||jd	�t
�}|j|j|jd
�}dD]T}tt||��}	d�|�}
t||
d�}|dur�td
�||	|��q�td�||	��q�|�t|�d�t�||���dS)Nr)�standard_logging_setupz	--ca-cert)r0z--debug�
store_true)�actionr6)r*rc)r5r6r9r7r8z	{}_sourcez{:<8} {:<32}	({})z{:<8} {:<32}z{}
)�argparse�osZipapython.ipa_log_managerr��ArgumentParserr��path�isfiler
Z
IPA_CA_CRT�add_argument�
parse_argsr*r3rBr6Zca_certr��getattr�format�print�exit�absrsrt)r�r�r��parserZ
default_ca�argsZdiscover�result�key�valueZ
source_key�sourcer!r!r"�main_s2


�r��__main__).Z
__future__rZloggingr|ZdnsrZ
dns.exceptionrZipalibrZipalib.constantsrZipalib.utilrZipapython.dnsutilrr	Zipaplatform.pathsr
Zipapython.ipautilrrZipapython.dnr
Zldap�ImportErrorrZ	ipapythonZ	getLoggerr�r)rprrrrrrrrrr.rsr2r3r�r!r!r!r"�<module>s^

�)p%