From d98686e96758870cb4a56d41fb0aaae54d4067c5 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Wed, 21 Nov 2007 13:11:10 -0500 Subject: Add radius profile implementations: get_radius_profile_by_uid add_radius_profile update_radius_profile delete_radius_profile find_radius_profiles Rewrite command line arg handling, now support pair entry, interactive mode with auto completion, reading pairs from a file, better handling of mandatory values, better help, long arg names now match attribute name in pairs Establish mappings for all attributes and names used in clients and profiles Add notion of containers to radius clients and profiles in LDAP Move common code, variables, constants, and strings into the files radius_client.py, radius_util.py, ipautil.py to eliminate redundant elements which could get out of sync if modified and to provide access to other code which might benefit from using these items in the future. Add utility functions: format_list() parse_key_value_pairs() Add utility class: AttributeValueCompleter Unify attribute usage in radius ldap schema --- ipa-python/radius_util.py | 231 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 231 insertions(+) create mode 100644 ipa-python/radius_util.py (limited to 'ipa-python/radius_util.py') diff --git a/ipa-python/radius_util.py b/ipa-python/radius_util.py new file mode 100644 index 00000000..482b9f19 --- /dev/null +++ b/ipa-python/radius_util.py @@ -0,0 +1,231 @@ +# Authors: John Dennis +# +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; version 2 only +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +import sys +import os +import re +import ldap +import ldap.filter + +from ipa import ipautil + + +__all__ = [ + 'RADIUS_PKG_NAME', + 'RADIUS_PKG_CONFIG_DIR', + 'RADIUS_SERVICE_NAME', + 'RADIUS_USER', + 'RADIUS_IPA_KEYTAB_FILEPATH', + 'RADIUS_LDAP_ATTR_MAP_FILEPATH', + 'RADIUSD_CONF_FILEPATH', + 'RADIUSD_CONF_TEMPLATE_FILEPATH', + 'RADIUSD', + + 'clients_container', + 'radius_clients_basedn', + 'radius_client_filter', + 'radius_client_dn', + + 'profiles_container', + 'radius_profiles_basedn', + 'radius_profile_filter', + 'radius_profile_dn', + + 'client_ldap_attr_to_name', + 'client_name_to_ldap_attr', + + 'read_pairs_file', +] + +#------------------------------------------------------------------------------ + +RADIUS_PKG_NAME = 'freeradius' +RADIUS_PKG_CONFIG_DIR = '/etc/raddb' + +RADIUS_SERVICE_NAME = 'radius' +RADIUS_USER = 'radiusd' + +RADIUS_IPA_KEYTAB_FILEPATH = os.path.join(RADIUS_PKG_CONFIG_DIR, 'ipa.keytab') +RADIUS_LDAP_ATTR_MAP_FILEPATH = os.path.join(RADIUS_PKG_CONFIG_DIR, 'ldap.attrmap') +RADIUSD_CONF_FILEPATH = os.path.join(RADIUS_PKG_CONFIG_DIR, 'radiusd.conf') +RADIUSD_CONF_TEMPLATE_FILEPATH = os.path.join(ipautil.SHARE_DIR, 'radius.radiusd.conf.template') + +RADIUSD = '/usr/sbin/radiusd' + +#------------------------------------------------------------------------------ + +def reverse_map_dict(src_dict): + reverse_dict = {} + + for k,v in src_dict.items(): + if reverse_dict.has_key(v): + raise ValueError("reverse_map_dict: collision on (%s) with values (%s),(%s)" % \ + v, reverse_dict[v], src_dict[k]) + reverse_dict[v] = k + return reverse_dict + +#------------------------------------------------------------------------------ + +client_ldap_attr_to_name = ipautil.CIDict({ + 'radiusClientIPAddress' : 'Client-IP-Address', + 'radiusClientSecret' : 'Secret', + 'radiusClientNASType' : 'NAS-Type', + 'radiusClientShortName' : 'Name', + 'description' : 'Description', + }) + +client_name_to_ldap_attr = reverse_map_dict(client_ldap_attr_to_name) + +#------------------------------------------------------------------------------ + +profile_ldap_attr_to_name = { + 'radiusArapFeatures' : 'Arap-Features', + 'radiusArapSecurity' : 'Arap-Security', + 'radiusArapZoneAccess' : 'Arap-Zone-Access', + 'radiusAuthType' : 'Auth-Type', + 'radiusCallbackId' : 'Callback-Id', + 'radiusCallbackNumber' : 'Callback-Number', + 'radiusCalledStationId' : 'Called-Station-Id', + 'radiusCallingStationId' : 'Calling-Station-Id', + 'radiusClass' : 'Class', + 'radiusClientIPAddress' : 'Client-IP-Address', + 'radiusExpiration' : 'Expiration', + 'radiusFilterId' : 'Filter-Id', + 'radiusFramedAppleTalkLink' : 'Framed-AppleTalk-Link', + 'radiusFramedAppleTalkNetwork' : 'Framed-AppleTalk-Network', + 'radiusFramedAppleTalkZone' : 'Framed-AppleTalk-Zone', + 'radiusFramedCompression' : 'Framed-Compression', + 'radiusFramedIPAddress' : 'Framed-IP-Address', + 'radiusFramedIPNetmask' : 'Framed-IP-Netmask', + 'radiusFramedIPXNetwork' : 'Framed-IPX-Network', + 'radiusFramedMTU' : 'Framed-MTU', + 'radiusFramedProtocol' : 'Framed-Protocol', + 'radiusFramedRoute' : 'Framed-Route', + 'radiusFramedRouting' : 'Framed-Routing', + 'radiusGroupName' : 'Group-Name', + 'radiusHint' : 'Hint', + 'radiusHuntgroupName' : 'Huntgroup-Name', + 'radiusIdleTimeout' : 'Idle-Timeout', + 'radiusLoginIPHost' : 'Login-IP-Host', + 'radiusLoginLATGroup' : 'Login-LAT-Group', + 'radiusLoginLATNode' : 'Login-LAT-Node', + 'radiusLoginLATPort' : 'Login-LAT-Port', + 'radiusLoginLATService' : 'Login-LAT-Service', + 'radiusLoginService' : 'Login-Service', + 'radiusLoginTCPPort' : 'Login-TCP-Port', + 'radiusLoginTime' : 'Login-Time', + 'radiusNASIpAddress' : 'NAS-IP-Address', + 'radiusPasswordRetry' : 'Password-Retry', + 'radiusPortLimit' : 'Port-Limit', + 'radiusProfileDn' : 'Profile-Dn', + 'radiusPrompt' : 'Prompt', + 'radiusProxyToRealm' : 'Proxy-To-Realm', + 'radiusRealm' : 'Realm', + 'radiusReplicateToRealm' : 'Replicate-To-Realm', + 'radiusReplyMessage' : 'Reply-Message', + 'radiusServiceType' : 'Service-Type', + 'radiusSessionTimeout' : 'Session-Timeout', + 'radiusSimultaneousUse' : 'Simultaneous-Use', + 'radiusStripUserName' : 'Strip-User-Name', + 'radiusTerminationAction' : 'Termination-Action', + 'radiusTunnelAssignmentId' : 'Tunnel-Assignment-Id', + 'radiusTunnelClientEndpoint' : 'Tunnel-Client-Endpoint', + 'radiusTunnelMediumType' : 'Tunnel-Medium-Type', + 'radiusTunnelPassword' : 'Tunnel-Password', + 'radiusTunnelPreference' : 'Tunnel-Preference', + 'radiusTunnelPrivateGroupId' : 'Tunnel-Private-Group-Id', + 'radiusTunnelServerEndpoint' : 'Tunnel-Server-Endpoint', + 'radiusTunnelType' : 'Tunnel-Type', + 'radiusUserCategory' : 'User-Category', + 'radiusVSA' : 'VSA', +} + +profile_name_to_ldap_attr = reverse_map_dict(profile_ldap_attr_to_name) + +#------------------------------------------------------------------------------ + +clients_container = 'cn=clients,cn=radius,cn=services,cn=etc' + +def radius_clients_basedn(container, suffix): + if container is None: container = clients_container + return '%s,%s' % (container, suffix) + +def radius_client_filter(ip_addr): + return "(&(radiusClientIPAddress=%s)(objectclass=radiusClientProfile))" % \ + ldap.filter.escape_filter_chars(ip_addr) + +def radius_client_dn(client, container, suffix): + if container is None: container = clients_container + return 'radiusClientIPAddress=%s,%s,%s' % (ldap.dn.escape_dn_chars(client), container, suffix) + +# -- + +profiles_container = 'cn=profiles,cn=radius,cn=services,cn=etc' + +def radius_profiles_basedn(container, suffix): + if container is None: container = profiles_container + return '%s,%s' % (container, suffix) + +def radius_profile_filter(uid): + return "(&(uid=%s)(objectclass=radiusprofile))" % \ + ldap.filter.escape_filter_chars(uid) + +def radius_profile_dn(uid, container, suffix): + if container is None: container = profiles_container + return 'uid=%s,%s,%s' % (ldap.dn.escape_dn_chars(uid), container, suffix) + + +#------------------------------------------------------------------------------ + +comment_re = re.compile('#.*$', re.MULTILINE) +def read_pairs_file(filename): + if filename == '-': + fd = sys.stdin + else: + fd = open(filename) + data = fd.read() + data = comment_re.sub('', data) # kill comments + pairs = ipautil.parse_key_value_pairs(data) + if fd != sys.stdin: fd.close() + return pairs + + +def get_ldap_attr_translations(): + comment_re = re.compile('#.*$') + radius_attr_to_ldap_attr = {} + ldap_attr_to_radius_attr = {} + try: + f = open(LDAP_ATTR_MAP_FILEPATH) + for line in f.readlines(): + line = comment_re.sub('', line).strip() + if not line: continue + attr_type, radius_attr, ldap_attr = line.split() + print 'type="%s" radius="%s" ldap="%s"' % (attr_type, radius_attr, ldap_attr) + radius_attr_to_ldap_attr[radius_attr] = {'ldap_attr':ldap_attr, 'attr_type':attr_type} + ldap_attr_to_radius_attr[ldap_attr] = {'radius_attr':radius_attr, 'attr_type':attr_type} + f.close() + except Exception, e: + logging.error('cold not read radius ldap attribute map file (%s): %s', LDAP_ATTR_MAP_FILEPATH, e) + pass # FIXME + + #for k,v in radius_attr_to_ldap_attr.items(): + # print '%s --> %s' % (k,v) + #for k,v in ldap_attr_to_radius_attr.items(): + # print '%s --> %s' % (k,v) + -- cgit From 9a9a7e4058cd9fa7932f305290b543bc9f623add Mon Sep 17 00:00:00 2001 From: "jdennis@VAIO" Date: Sat, 24 Nov 2007 11:20:28 -0500 Subject: clean up attribute names clean up command line args in ipa-delradiusclient --- ipa-python/radius_util.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) (limited to 'ipa-python/radius_util.py') diff --git a/ipa-python/radius_util.py b/ipa-python/radius_util.py index 482b9f19..caa72e3a 100644 --- a/ipa-python/radius_util.py +++ b/ipa-python/radius_util.py @@ -47,8 +47,11 @@ __all__ = [ 'radius_profile_filter', 'radius_profile_dn', - 'client_ldap_attr_to_name', - 'client_name_to_ldap_attr', + 'radius_client_ldap_attr_to_radius_attr', + 'radius_client_attr_to_ldap_attr', + + 'radius_profile_ldap_attr_to_radius_attr', + 'radius_profile_attr_to_ldap_attr', 'read_pairs_file', ] @@ -82,7 +85,7 @@ def reverse_map_dict(src_dict): #------------------------------------------------------------------------------ -client_ldap_attr_to_name = ipautil.CIDict({ +radius_client_ldap_attr_to_radius_attr = ipautil.CIDict({ 'radiusClientIPAddress' : 'Client-IP-Address', 'radiusClientSecret' : 'Secret', 'radiusClientNASType' : 'NAS-Type', @@ -90,11 +93,11 @@ client_ldap_attr_to_name = ipautil.CIDict({ 'description' : 'Description', }) -client_name_to_ldap_attr = reverse_map_dict(client_ldap_attr_to_name) +radius_client_attr_to_ldap_attr = reverse_map_dict(radius_client_ldap_attr_to_radius_attr) #------------------------------------------------------------------------------ -profile_ldap_attr_to_name = { +radius_profile_ldap_attr_to_radius_attr = { 'radiusArapFeatures' : 'Arap-Features', 'radiusArapSecurity' : 'Arap-Security', 'radiusArapZoneAccess' : 'Arap-Zone-Access', @@ -156,7 +159,7 @@ profile_ldap_attr_to_name = { 'radiusVSA' : 'VSA', } -profile_name_to_ldap_attr = reverse_map_dict(profile_ldap_attr_to_name) +radius_profile_attr_to_ldap_attr = reverse_map_dict(radius_profile_ldap_attr_to_radius_attr) #------------------------------------------------------------------------------ -- cgit From 4f33d674188268432b3d8ef0921be0de3e6c5ef7 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Mon, 26 Nov 2007 11:12:58 -0500 Subject: remove radius_client.py, move contents to radius_util.py --- ipa-python/radius_util.py | 148 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 147 insertions(+), 1 deletion(-) (limited to 'ipa-python/radius_util.py') diff --git a/ipa-python/radius_util.py b/ipa-python/radius_util.py index caa72e3a..24eb949a 100644 --- a/ipa-python/radius_util.py +++ b/ipa-python/radius_util.py @@ -21,9 +21,12 @@ import sys import os import re import ldap +import getpass import ldap.filter from ipa import ipautil +from ipa.entity import Entity +import ipa.ipavalidate as ipavalidate __all__ = [ @@ -37,6 +40,9 @@ __all__ = [ 'RADIUSD_CONF_TEMPLATE_FILEPATH', 'RADIUSD', + 'RadiusClient', + 'RadiusProfile', + 'clients_container', 'radius_clients_basedn', 'radius_client_filter', @@ -54,7 +60,15 @@ __all__ = [ 'radius_profile_attr_to_ldap_attr', 'read_pairs_file', -] + + 'get_secret', + 'validate_ip_addr', + 'validate_secret', + 'validate_name', + 'validate_nastype', + 'validate_desc', + 'validate', + ] #------------------------------------------------------------------------------ @@ -71,6 +85,35 @@ RADIUSD_CONF_TEMPLATE_FILEPATH = os.path.join(ipautil.SHARE_DIR, 'radius.rad RADIUSD = '/usr/sbin/radiusd' +#------------------------------------------------------------------------------ + +dotted_octet_re = re.compile(r"^(\d+)\.(\d+)\.(\d+)\.(\d+)(/(\d+))?$") +dns_re = re.compile(r"^[a-zA-Z][a-zA-Z0-9.-]+$") +# secret, name, nastype all have 31 char max in freeRADIUS, max ip address len is 255 +valid_secret_len = (1,31) +valid_name_len = (1,31) +valid_nastype_len = (1,31) +valid_ip_addr_len = (1,255) + +valid_ip_addr_msg = '''\ +IP address must be either a DNS name (letters,digits,dot,hyphen, beginning with +a letter),or a dotted octet followed by an optional mask (e.g 192.168.1.0/24)''' + +valid_desc_msg = "Description must text string" + +#------------------------------------------------------------------------------ + +class RadiusClient(Entity): + + def __init2__(self): + pass + +class RadiusProfile(Entity): + + def __init2__(self): + pass + + #------------------------------------------------------------------------------ def reverse_map_dict(src_dict): @@ -232,3 +275,106 @@ def get_ldap_attr_translations(): #for k,v in ldap_attr_to_radius_attr.items(): # print '%s --> %s' % (k,v) +def get_secret(): + valid = False + while (not valid): + secret = getpass.getpass("Enter Secret: ") + confirm = getpass.getpass("Confirm Secret: ") + if (secret != confirm): + print "Secrets do not match" + continue + valid = True + return secret + +#------------------------------------------------------------------------------ + +def valid_ip_addr(text): + + # is it a dotted octet? If so there should be 4 integers seperated + # by a dot and each integer should be between 0 and 255 + # there may be an optional mask preceded by a slash (e.g. 1.2.3.4/24) + match = dotted_octet_re.search(text) + if match: + # dotted octet notation + i = 1 + while i <= 4: + octet = int(match.group(i)) + if octet > 255: return False + i += 1 + if match.group(5): + mask = int(match.group(6)) + if mask <= 32: + return True + else: + return False + return True + else: + # DNS name, can contain letters, numbers, dot and hypen, must start with a letter + if dns_re.search(text): return True + return False + +def validate_length(value, limits): + length = len(value) + if length < limits[0] or length > limits[1]: + return False + return True + +def valid_length_msg(name, limits): + return "%s length must be at least %d and not more than %d" % (name, limits[0], limits[1]) + +def err_msg(variable, variable_name=None): + if variable_name is None: variable_name = 'value' + print "ERROR: %s = %s" % (variable_name, variable) + +#------------------------------------------------------------------------------ + +def validate_ip_addr(ip_addr, variable_name=None): + if not validate_length(ip_addr, valid_ip_addr_len): + err_msg(ip_addr, variable_name) + print valid_length_msg('ip address', valid_ip_addr_len) + return False + if not valid_ip_addr(ip_addr): + err_msg(ip_addr, variable_name) + print valid_ip_addr_msg + return False + return True + +def validate_secret(secret, variable_name=None): + if not validate_length(secret, valid_secret_len): + err_msg(secret, variable_name) + print valid_length_msg('secret', valid_secret_len) + return False + return True + +def validate_name(name, variable_name=None): + if not validate_length(name, valid_name_len): + err_msg(name, variable_name) + print valid_length_msg('name', valid_name_len) + return False + return True + +def validate_nastype(nastype, variable_name=None): + if not validate_length(nastype, valid_nastype_len): + err_msg(nastype, variable_name) + print valid_length_msg('NAS Type', valid_nastype_len) + return False + return True + +def validate_desc(desc, variable_name=None): + if ipavalidate.plain(desc, notEmpty=True) != 0: + print valid_desc_msg + return False + return True + +def validate(attribute, value): + if attribute == 'Client-IP-Address': + return validate_ip_addr(value, attribute) + if attribute == 'Secret': + return validate_secret(value, attribute) + if attribute == 'NAS-Type': + return validate_nastype(value, attribute) + if attribute == 'Name': + return validate_name(value, attribute) + if attribute == 'Description': + return validate_desc(value, attribute) + return True -- cgit From 09238510ff0dced7998e6a1b72f450070e8c6116 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Mon, 26 Nov 2007 19:30:33 -0500 Subject: add command line utilites for radius profiles --- ipa-python/radius_util.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'ipa-python/radius_util.py') diff --git a/ipa-python/radius_util.py b/ipa-python/radius_util.py index 24eb949a..e502fece 100644 --- a/ipa-python/radius_util.py +++ b/ipa-python/radius_util.py @@ -140,7 +140,8 @@ radius_client_attr_to_ldap_attr = reverse_map_dict(radius_client_ldap_attr_to_ra #------------------------------------------------------------------------------ -radius_profile_ldap_attr_to_radius_attr = { +radius_profile_ldap_attr_to_radius_attr = ipautil.CIDict({ + 'uid' : 'UID', 'radiusArapFeatures' : 'Arap-Features', 'radiusArapSecurity' : 'Arap-Security', 'radiusArapZoneAccess' : 'Arap-Zone-Access', @@ -200,7 +201,7 @@ radius_profile_ldap_attr_to_radius_attr = { 'radiusTunnelType' : 'Tunnel-Type', 'radiusUserCategory' : 'User-Category', 'radiusVSA' : 'VSA', -} +}) radius_profile_attr_to_ldap_attr = reverse_map_dict(radius_profile_ldap_attr_to_radius_attr) -- cgit From 78b5987101c3d489c8397da05546d72e24aeea4c Mon Sep 17 00:00:00 2001 From: John Dennis Date: Mon, 26 Nov 2007 23:11:49 -0500 Subject: add parse_items(), read_items_file() move read_pairs_file() to ipautil --- ipa-python/radius_util.py | 15 --------------- 1 file changed, 15 deletions(-) (limited to 'ipa-python/radius_util.py') diff --git a/ipa-python/radius_util.py b/ipa-python/radius_util.py index e502fece..96bc0f89 100644 --- a/ipa-python/radius_util.py +++ b/ipa-python/radius_util.py @@ -59,8 +59,6 @@ __all__ = [ 'radius_profile_ldap_attr_to_radius_attr', 'radius_profile_attr_to_ldap_attr', - 'read_pairs_file', - 'get_secret', 'validate_ip_addr', 'validate_secret', @@ -240,19 +238,6 @@ def radius_profile_dn(uid, container, suffix): #------------------------------------------------------------------------------ -comment_re = re.compile('#.*$', re.MULTILINE) -def read_pairs_file(filename): - if filename == '-': - fd = sys.stdin - else: - fd = open(filename) - data = fd.read() - data = comment_re.sub('', data) # kill comments - pairs = ipautil.parse_key_value_pairs(data) - if fd != sys.stdin: fd.close() - return pairs - - def get_ldap_attr_translations(): comment_re = re.compile('#.*$') radius_attr_to_ldap_attr = {} -- cgit From 4e1d291d15e198a0517a2c6787f865fe41147440 Mon Sep 17 00:00:00 2001 From: John Dennis Date: Fri, 30 Nov 2007 20:29:12 -0500 Subject: change location of radius data in ldap from cn=radius,cn=services,cn=etc to cn=radius --- ipa-python/radius_util.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'ipa-python/radius_util.py') diff --git a/ipa-python/radius_util.py b/ipa-python/radius_util.py index 96bc0f89..1f6e7902 100644 --- a/ipa-python/radius_util.py +++ b/ipa-python/radius_util.py @@ -205,7 +205,7 @@ radius_profile_attr_to_ldap_attr = reverse_map_dict(radius_profile_ldap_attr_to_ #------------------------------------------------------------------------------ -clients_container = 'cn=clients,cn=radius,cn=services,cn=etc' +clients_container = 'cn=clients,cn=radius' def radius_clients_basedn(container, suffix): if container is None: container = clients_container @@ -221,7 +221,7 @@ def radius_client_dn(client, container, suffix): # -- -profiles_container = 'cn=profiles,cn=radius,cn=services,cn=etc' +profiles_container = 'cn=profiles,cn=radius' def radius_profiles_basedn(container, suffix): if container is None: container = profiles_container -- cgit