HEX
Server: LiteSpeed
System: Linux shams.tasjeel.ae 5.14.0-611.5.1.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 11 08:09:09 EST 2025 x86_64
User: infowars (1469)
PHP: 8.2.29
Disabled: NONE
$ pwd: /usr/lib/python3.9/site-packages/ipaclient/install/__pycache__/
Upload Files
File: //usr/lib/python3.9/site-packages/ipaclient/install/__pycache__/ipa_epn.cpython-39.opt-1.pyc
a

}�fQs�@s�dZddlmZmZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
mZddlmZmZmZejZddlmZmZddlmZddlmZdd	lmZdd
lmZddlmZ ddl!m"Z"dd
l#m$Z$m%Z%ddl&m'Z'ddl(m)Z)m*Z*ddl+m,Z,ddl-m.Z.m/Z/m0Z0dZ1dddddddddddddddddd�Z2e	�3e4�Z5d)dd �Z6Gd!d"�d"�Z7Gd#d$�d$e)j8�Z9Gd%d&�d&�Z:Gd'd(�d(�Z;dS)*zoThis tool prepares then sends email notifications to users
   whose passwords are expiring in the near future.
�)�absolute_import�print_functionN)�deque)�datetime�	timedelta�timezone)�
formataddr�
formatdate)�
MIMEMultipart)�MIMEText)�Header)�
make_msgid��error)�paths)�api�errors)�is_ipa_client_configured)�	admintool�ipaldap)�DN)�Environment�FileSystemLoader�TemplateSyntaxErrorz/etc/ipa/epn.conf�	localhost��<�nonezroot@localhost�IPA-EPNz28,14,7,3,1�utf8�plainzYour password will expire soon.)�smtp_server�	smtp_port�	smtp_user�
smtp_password�smtp_client_cert�smtp_client_key�smtp_client_key_pass�smtp_timeout�
smtp_security�
smtp_admin�
smtp_delay�	mail_from�mail_from_name�notify_ttls�msg_charset�msg_subtype�msg_subject�daemonc
Cs�zht��dkrWdSt�g�t�t�|�j�t�t�	|�j
�t��dkrXt�d��t
�d||�Wn4ty�}zt
�d|||�WYd}~n
d}~00dS)z0Drop privileges, defaults to daemon:daemon.
    rNzCannot drop privileges!z'Dropped privileges to user=%s, group=%sz'Failed to drop privileges to %s, %s: %s)�os�getuid�	setgroups�setgid�pwd�getpwnam�pw_uid�setuid�grp�getgrnam�gr_gidrZRequiresRoot�logger�debug�	Exceptionr)Znew_usernameZ
new_groupname�e�rB�=/usr/lib/python3.9/site-packages/ipaclient/install/ipa_epn.py�drop_privilegesNs(

��rDc@sZeZdZdZdd�Zdd�Zdd�Zdd	�Zd
d�Zdd
�Z	dd�Z
ddd�Zdd�ZdS)�EPNUserLista"Maintains a list of users whose passwords are expiring.
       Provides add(), check(), pop(), and json_print().
       From the outside, the list is considered always sorted:
       * displaying the list results in a sorted JSON representation thereof
       * pop() returns the "most urgent" item from the list.
       Internal implementation notes:
       * Uses a deque instead of a list for efficiency reasons
       * all add()-style methods MUST set _sorted to False.
       * all print() and pop-like methods MUST call _sort() first.
    cCsd|_t�|_dS)NF)�_sortedr�_expiring_password_user_dq��selfrBrBrC�__init__wszEPNUserList.__init__cCs
t|j�S)z)If it quacks like a container...
        )�boolrGrHrBrBrC�__bool__{szEPNUserList.__bool__cCs
t|j�S)zReturn len(self).)�lenrGrHrBrBrC�__len__�szEPNUserList.__len__cCst|�|dg��d��S)z9Get a single value from a multi-valued attr in a safe way�r)�str�get�pop)rI�entry�attrrBrBrC�
get_ldap_attr�szEPNUserList.get_ldap_attrcCs�zzd|_|�d�dur*t�d|j�WdS|j�t|�|d�|�|d�|�|d�|�|d�|�|d	�t	|�d��d
��Wn0t
y�}zt�d|�WYd}~n
d}~00dS)z�Parses and appends an LDAP user entry with the uid, cn,
           givenname, sn, krbpasswordexpiration and mail attributes.
        F�mailNz(IPA-EPN: No mail address defined for: %s�uid�cn�	givenname�sn�krbpasswordexpiration�rWrXrYrZr[rVz"IPA-EPN: Could not parse entry: %s)rFrQr>rZdnrG�append�dictrUrP�
IndexError�info�rIrSrArBrBrC�add�s&�




��zEPNUserList.addcCs.|��z|j��WSty(YdS0dS)zPReturns the "most urgent" user to notify.
           In fact: popleft()
        FN)�_sortrG�popleftr_rHrBrBrCrR�s
zEPNUserList.popcCs|jdd�dS)NF��really_print)�
json_printrHrBrBrC�check�szEPNUserList.checkTc
Csnz8|��tjt|j�ddd�}|�d�|r6t|�Wn0tyh}zt�	d|�WYd}~n
d}~00dS)z�Dump self._expiring_password_user_dq to JSON.
           Check that the result can be re-rencoded to UTF-8.
           If really_print, print the result.
        �F)�indentZensure_asciirzIPA-EPN: unexpected error: %sN)
rc�json�dumps�listrG�encode�printr@r>r)rIrfZtemp_strrArBrBrCrg�s�
zEPNUserList.json_printcCs4|js0t|jt�r0tt|jdd�d��|_d|_dS)NcSs|dS)Nr[rB)�itemrBrBrC�<lambda>��z#EPNUserList._sort.<locals>.<lambda>)�keyT)rF�
isinstancerGr�sortedrHrBrBrCrc�s��zEPNUserList._sortN)T)
�__name__�
__module__�__qualname__�__doc__rJrLrNrUrbrRrhrgrcrBrBrBrCrEks

rEcs�eZdZdZejZdZdZ�fdd�Z	e
�fdd��Z�fdd	�Zd/�fdd�	Z
�fd
d�Zd0dd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd1d'd(�Zd)d*�Zd+d,�Zd-d.�Z�ZS)2�EPNrz%prog [options]z%Expiring Password Notifications (EPN)csHtt|��||�d|_d|_t�|_g|_g|_d|_	d|_
d|_dS�N)�superrzrJ�_conn�_ssl_contextrE�_expiring_password_user_list�
_ldap_data�_date_ranges�_mailer�env�default_email_domain)rI�options�args��	__class__rBrCrJ�szEPN.__init__cshtt|�j|dd�|jdddddd�|jdd	ddd
d�|jddd
ddd�|jddd
ddd�dS)NT)Zdebug_optionz
--from-nbdays�from_nbdays�storezminimal number of days)�dest�action�default�helpz--to-nbdays�	to_nbdayszmaximal number of daysz	--dry-run�dry_run�
store_trueFzDry run mode. JSON ouput only.z--mail-test�mailtestzSend a test e-mail)r|rz�add_optionsZ
add_option)�cls�parserr�rBrCr��s:����zEPN.add_optionsc
sltt|�jdd�|jjdur|zt|jj�dkr8td��Wn8tyr}z |j�	dj
|d��WYd}~n
d}~00d|j_|jjdur�zt|jj�dkr�td��Wn8ty�}z |j�	dj
|d��WYd}~n
d}~00|jjdu�r |jjdu�r t|jj�t|jj�k�r |j�	d�|jjdu�rH|jjdu�rH|j�	d	�|jj
�rh|jj�rh|j�	d
�dS)NT)Z
needs_rootrzInput is negative.z/--to-nbdays must be a positive integer. {error}rz1--from-nbdays must be a positive integer. {error}z/--from-nbdays must be smaller than --to-nbdays.z4You cannot specify --from-nbdays without --to-nbdaysz5You cannot specify --mail-test and --dry-run together)r|rz�validate_optionsr�r��int�RuntimeErrorr@Z
option_parserr�formatr�r�r��rIrAr�rBrCr��sN����
��
���zEPN.validate_options�acstt|�jdd�dS)Nr�)�
log_file_mode)r|rz�
setup_logging)rIr�r�rBrCr�#szEPN.setup_loggingcstt|���t�s&t�d�t���|��|�	�|�
�|��|��|�
�|��t�|jjrv|��n.|jjr�|��|jD]}|�|�|��q�|jjr�|��nJttjjtjjtjjtjj tjj!tjj"|j#|j$tjj%tjj&d�
|_'|�(�dS)Nz,IPA client is not configured on this system.)
�security_protocol�
smtp_hostnamer"r(�
smtp_usernamer$�ssl_context�x_mailerr0r/))r|rz�runrr>rr�ScriptError�_get_krb5_ticket�_read_configuration�_validate_configuration�_parse_configuration�_get_connection�_read_ipa_configuration�_create_ssl_contextrDr�r��_gentestdatar��_build_cli_date_rangesr��_fetch_data_from_ldap�_parse_ldap_datar��_pretty_print_data�
MailUserAgentrr�r)r!r"r(r#r$r~�command_namer0r/r��_send_emails)rI�
date_ranger�rBrCr�&sD





�zEPN.runNcCsltjtd�}t�|tj���}|t|d�}|durD|t|d�}n|tdd�}t�d||||�||fS)z�Detects current time and returns a date range, given a number
           of days in the future.
           If only nbdays_end is specified, the range is 1d long.
        �Ztz)�daysN�z�IPA-EPN: Current date: %s 
IPA-EPN: Date & time, today at midnight: %s 
IPA-EPN: Date range start: %s 
IPA-EPN: Date range end: %s 
)	r�now�UTCZcombine�min�timerr>r?)rI�
nbdays_end�nbdays_startr�Ztoday_at_midnightZ	range_endZrange_startrBrBrC�_get_date_range_from_nbdaysPs�
zEPN._get_date_range_from_nbdaysc	CsB|��}t|j�d�dd�|j|j|j|j|jfD��}|dS)zgConvert datetime to LDAP_GENERALIZED_TIME_FORMAT
           Note: Consider moving into ipalib.
        rOcss*|]"}ddtt|��t|�VqdS)�0�N)rMrP)�.0rprBrBrC�	<genexpr>ns�z4EPN._datetime_to_generalized_time.<locals>.<genexpr>�Z)	Z	timetuplerP�tm_year�join�tm_mon�tm_mday�tm_hour�tm_min�tm_sec)rIZdtZgeneralized_time_strrBrBrC�_datetime_to_generalized_timeis��

z!EPN._datetime_to_generalized_timecCstj�dd�dtjd<dS)z�Setup the environment to obtain a krb5 ticket for us using the
           system keytab.
           Uses CCACHE = MEMORY (limited to the current process).
        ZKRB5_CLIENT_KTNAMEz/etc/krb5.keytabzMEMORY:Z
KRB5CCNAMEN)r3�environ�
setdefaultrHrBrBrCr�zszEPN._get_krb5_ticketcCsHtdtjdd�}tjfi|��tjjfit��t�d�sDt�	�dS)z5Merge in the EPN configuration from /etc/ipa/epn.conf�epnF)�context�confdirZ	in_server�finalizeN)
r^rZETC_IPArZ	bootstrapr�Z_merge�
EPN_CONFIGZisdoner�)rIZbase_configrBrBrCr��s�
zEPN._read_configurationc
Cstjj��dvrtd��tjjdur8tjjdur8td��tjjdurPtdt��z dd�t	tjj��
d�D�Wn8ty�}z td	tjj|f��WYd}~n
d}~00tjj�rzt
tjj�Wn0ty�}ztd
|��WYd}~n
d}~00t
tjj�dk�rtd��dS)
z1Examine the user-provided configuration.
        )r�starttls�sslz3smtp_security must be one of: none, starttls or sslNz&smtp_user set and smtp_password is notznotify_ttls must be set in %scSsg|]}t|��qSrB�r��r��krBrBrC�
<listcomp>�rrz/EPN._validate_configuration.<locals>.<listcomp>�,z%Failed to parse notify_ttls: '%s': %szsmtp_delay is misformatted: %srz#smtp_delay cannot be less than zero)rr�r)�lowerr�r#r$r.�EPN_CONFrP�split�
ValueErrorr+�floatr�rBrBrCr��s*� 
�
"zEPN._validate_configurationcCsndd�ttjj��d�D�}|��|D]}|j�|jd|dd��q(t	t
j�tjj
d��}t|d�|_dS)	z	
        cSsg|]}t|��qSrBr�r�rBrBrCr��rrz,EPN._parse_configuration.<locals>.<listcomp>r�Nr��r�r�r�)�loader)rPrr�r.r��sortr�r]r�rr3�pathr�r�r)rIZdaylistZdayr�rBrBrCr��s��zEPN._parse_configurationcCs>tjj��tj��d}|�ddg�d|_tjj��dS)zGet the IPA configuration�resultZipadefaultemaildomainNr)	rZBackendZ	rpcclientZconnectZCommandZconfig_showrQr�Z
disconnect)rIr�rBrBrCr��s��zEPN._read_ipa_configurationc
Cs�|jdur|jSz tj�tjj�|_|j��Wnjty�z tj�	tjj
�|_|j��Wn6ty�}zt�
d|jj|�WYd}~n
d}~00Yn0|jS)z4Create a connection to LDAP and bind to it.
        Nz$Unable to bind to LDAP server %s: %s)r}rZ
LDAPClientZ
from_realmrr�ZrealmZ
external_bindr@Zfrom_hostname_secureZserverZgssapi_bindr>rZldap_urir�rBrBrCr��s$
�� zEPN._get_connectioncCsHtjj��dvrDt��|_tjjrD|jjtjjtjj	t
tjj�d�dS)z�Create SSL context.
           This must be done before the dropping priviliges to allow
           read in the smtp client's certificate and private key if specified.
        )r�r�)ZcertfileZkeyfile�passwordN)rr�r)r�r�Zcreate_default_contextr~r%Zload_cert_chainr&rPr'rHrBrBrCr��s

�zEPN._create_ssl_contextcCs�|jdurt�d�ttjjtjj�}gd�}d|�|d�|�|d�f}zTz|jj	||||jj
d�|_Wntj
y�t�d�Yn0Wt�d	t|j��nt�d	t|j��0dS)
z�Run a LDAP query to fetch a list of user entries whose passwords
           would expire in the near future. Store in self._ldap_data.
        Nz5IPA-EPN: Connection to LDAP not established. Exiting.)rWr[rVrXrYZsurnamezj(&(!(nsaccountlock=TRUE))             (krbpasswordexpiration<=%s)             (krbpasswordexpiration>=%s))r�r)�filter�
attrs_listZscopez
Empty Result.z%d entries found)r}r>rrrr�Zcontainer_userZbasednr�Zget_entriesZ
SCOPE_SUBTREEr�rZEmptyResultr?rM)rIr�Zsearch_baser�Z
search_filterrBrBrCr��s,
����
�zEPN._fetch_data_from_ldapc
Csx|jrt|jD]}|j�|�qzLz|jdd�Wn0ty`}zt�d|�WYd}~n
d}~00Wg|_ng|_0dS)zHFill out self._expiring_password_user_list from data from ldap.
        Frez"IPA-EPN: Could not create JSON: %sN)r�rrbr�r@r>rrarBrBrCr�	s
$zEPN._parse_ldap_dataTcCs|jj|d�dS)z8Dump self._expiring_password_user_list to JSON.
        reN)rrg)rIrfrBrBrCr�s�zEPN._pretty_print_datac
CsP|jdurt�d�dSz|j�d�}Wn6ty^}ztd|j|f��WYd}~n
d}~00tjj	rrtjj	}n
d|j
}|j�rB|j��}|j
|d|d|d|d|d	d
�}|jjtjj|t�|d�|tjjd�tjtd
�}t�|d	d�jtd�}t�d|d|d||j|�tjjr|t�ttjj�d�q||j��dS)Nz#IPA-EPN: mailer was not configured.zexpire_msg.templatezParsing template %s failed: %sz
noreply@%srWrYrZrXr[)rW�first�last�fullnameZ
expirationrV��mail_subject�	mail_body�subscribersr,r-r��%Y-%m-%d %H:%M:%S)Ztzinfoz5Notified %s (%s). Password expiring in %d days at %s.i�)r�r>rr�Zget_templaterr��filenamerr,r�rrRZrender�send_messager1�astZliteral_evalr-rr�r��strptime�replacer?r�r+r��sleepr��cleanup)rI�templaterAr,rS�bodyr��expdaterBrBrCr�sV

�


�����zEPN._send_emailscCsFtjtd��d�}tdgdgdgdg|gtjjgd�}|j�	|�dS)	z@Generate a sample user to process through the template.
        r�r�ZSAUSERzSAMPLE USERZSAMPLEZUSERr\N)
rr�r��strftimer^rr�r*rrb)rIr�rSrBrBrCr�Hs�zEPN._gentestdatacCsrg|_t�d�|jjdurD|j�|jt|jj�t|jj�d��n*|jjdurn|j�|jdt|jj�d��dS)z�When self.options.to_nbdays is set, override the date ranges read
           from the configuration file and build the date ranges from the CLI
           options.
        z,IPA-EPN: Ignoring configuration file ranges.Nr�)	r�r>r?r�r�r]r�r�r�rHrBrBrCr�Vs


����zEPN._build_cli_date_ranges)r�)N)T)rvrwrxr�rZ
IPAEPN_LOGZ
log_file_name�usage�descriptionrJ�classmethodr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r��
__classcell__rBrBr�rCrz�s2%*
$
*rzc@s<eZdZdZddd�Zd	d
�Zddd�Zd
d�Zdd�ZdS)�	MTAClientz/MTA Client class. Originally done for EPN.
    rrrrNcCsZ||_||_||_||_||_||_||_d|_|jdkrNd|jvrNt�	d�|�
�dS)NrrzBIPA-EPN: using cleartext for non-localhost SMTPd is not supported.)�_security_protocol�_smtp_hostname�
_smtp_port�
_smtp_timeout�	_username�	_passwordr~r}r>r�_connect)rIr�r�r"r(r�r$r�rBrBrCrJps 
���zMTAClient.__init__cCs|��dSr{)�_disconnectrHrBrBrCr��szMTAClient.cleanupcCs�d}z�z|j�tjj||�}Wn0tyN}zt�d|�WYd}~n
d}~00W|r�|D]$}t�d|||d||d�qZt�d�n:|r�|D]$}t�d|||d||d�q�t�d�0dS)Nz IPA-EPN: Failed to send mail: %sz+IPA-EPN: Failed to send mail to '%s': %s %srr�z6IPA-EPN: Failed to send mail to at least one recipient)r}Zsendmailrr�r*r@r>r`)rI�message_strr�r�rArsrBrBrCr��s:
�$

���

��zMTAClient.send_messagec
CszH|j��dvr*tj|j|j|jd�|_ntj|j|j|j|j	d�|_WnHt
tjfy�}z*dj|j|j|d�}t
�|��WYd}~n
d}~00z|j��Wn:tjy�}z t�d|j|j|�WYd}~n
d}~00|j��dk�rJz|jj|j	d�|j��Wn>tj�yH}z"td	|j|j|f��WYd}~n
d}~00|j�r|j�r|j�d
��r�z,|j�|j|j�|jdk�r�t�d�Wnftj�y�td
|j|jf��Yn>tj�y�}z"td|j|j|f��WYd}~n
d}~00nd|j|jf}t�|�dS)N)rr�)�host�port�timeout)rr	r
r�zPIPA-EPN: Could not connect to the configured SMTP server: {host}:{port}: {error})rr	rz'IPA-EPN: EHLO failed for host %s:%s: %sr�)r�z;IPA-EPN: Unable to create an encrypted session to %s:%s: %sZAUTHrz6IPA-EPN: Username and Password were sent in the clear.zTIPA-EPN: Authentication to %s:%s failed, please check your username and/or password:zIPA-EPN: SMTP Error at %s:%s:%sz9IPA-EPN: Server at %s:%s does not support authentication.)r�r��smtplibZSMTPrrrr}ZSMTP_SSLr~�socketerrorZ
SMTPExceptionr�rr�Zehlor>rr�r�rrZhas_extnZloginZwarningZSMTPAuthenticationError)rIrA�msgZerr_strrBrBrCr�s��
��� �������������zMTAClient._connectcCs|j��dSr{)r}�quitrHrBrBrCr�szMTAClient._disconnect)rrrrNNN)NN)	rvrwrxryrJr�r�rrrBrBrBrCr�ls�
 
Mr�c
@s4eZdZdZdd	d
�Zdd�Zdd
d�Zdd�ZdS)r�zThe MUA class for EPN.
    rrrrNr rc	CsL||_d|_d|_d|_|	|_|
|_d|_d|_t|||||||d�|_	dS)N)r�r�r"r(r�r$r�)
�	_x_mailer�_subject�_body�_subscribers�_subtype�_charset�_msg�_message_strr��_mta_client)rIr�r�r"r(r�r$r�r�r0r/rBrBrCrJ�s"�zMailUserAgent.__init__cCs|j��dSr{)rr�rHrBrBrCr� szMailUserAgent.cleanupcCsJd|||||fvr t�d�dS|j|||||d�|jj|j|d�dS)zfGiven mail_subject, mail_body, and subscribers, composes
           the message and sends it.
        Nz(IPA-EPN: Tried to send an empty message.Fr�)rr�T)r>r�_compose_messagerr�r�rIr�r�r�r,r-rBrBrCr�#s �
��zMailUserAgent.send_messagecCs�||_||_||_t|jd�|_t||f�|jd<d�|j�|jd<tdd�|jd<t	|j|j�|jd<t
�|jd	<d
|j_d|jvr�|jr�|j�
d|j�|j�t|jd|j|jd
��|j��|_dS)z7The composer creates a MIME multipart message.
        )rZFromz, ZToT)�	localtimeZDateZSubjectz
Message-IdzMultipart messagezX-Mailerz

)rrN)rrrr
rrrr�r	rr
ZpreamblerZ
add_headerZattachrrZ	as_stringrrrBrBrCr:s(��zMailUserAgent._compose_message)
rrrrNNNNr r)NNNNN)rvrwrxryrJr�r�rrBrBrBrCr��s"�
#�
r�)r2r2)<ryZ
__future__rrr�r;rkr3r7Zloggingrr�r��collectionsrrrrZutcr�Zemail.utilsrr	Zemail.mime.multipartr
Zemail.mime.textrZemail.headerrr
ZsocketrrZipaplatform.pathsrZipalibrrZipalib.factsrZ	ipapythonrrZipapython.dnrZjinja2rrrr�r�Z	getLoggerrvr>rDrEZ	AdminToolrzr�r�rBrBrBrC�<module>sl�

a#
@ Telegram