-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathsirfidal_client_class.py
397 lines (279 loc) · 10.9 KB
/
sirfidal_client_class.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
"""SiRFIDaL client class
"""
### Parameters
_sirfidal_default_server_socket_path = "/tmp/sirfidal_server.socket"
_sirfidal_default_global_config_file = "/etc/sirfidal_clients_parameters.py"
_sirfidal_default_user_config_file = "~/.sirfidal_clients_parameters.py"
_sirfidal_default_auth_wait = 2
_sirfidal_default_useradm_uid_read_wait = 5
_sirfidal_default_mutex_acq_wait = 5
### Modules
import os
import re
import pwd
import socket
# Python2 compatibility
if "SO_PASSCRED" not in dir(socket):
socket.SO_PASSCRED = 16 # From /usr/include/asm-generic/socket.h
### Constants
# Command replies
WRITEERR = -4
EXISTS = -3
NONE = -2
TIMEOUT = -1
NOAUTH = 0
OK = 1
AUTHOK = 1
### Routines
def load_parameters(client_name, global_config_file = \
_sirfidal_default_global_config_file,
user_config_file = _sirfidal_default_user_config_file):
"""Load a set of parameters from a sirfidal_clients_params dictionary, first
located in global_config_file, then in user_config_file. All the key / values
pairs are loaded in globals().
"""
errmsg = ""
load_success = False
for f in (global_config_file, user_config_file):
try:
exec(open(os.path.expanduser(f)).read())
client_params = locals()["sirfidal_clients_params"][client_name]
load_success = True
for k in client_params:
globals()[k] = client_params[k]
except Exception as e:
errmsg += (". Then e" if errmsg else "E") + \
"rror loading {}: {}".format(f, e)
if not load_success:
raise RuntimeError(errmsg)
### Classes
class sirfidal_client:
### Variables
_sock = None
### Methods
def __init__(self, connect = True,
socket_path = _sirfidal_default_server_socket_path):
"""__init__ method
"""
if connect:
self.connect(socket_path = socket_path)
def __enter__(self):
"""__enter__ method
"""
return self
def connect(self, socket_path = _sirfidal_default_server_socket_path):
"""Connect to the SiRFIDaL server
"""
# Open a socket to the auth server
self._sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
self._sock.setsockopt(socket.SOL_SOCKET, socket.SO_PASSCRED, 1)
self._sock.connect(socket_path)
return self._sock
def _command(self, cmd = None, timeout = None):
"""Send a command string to the SiFRIDaL server and return the reply.
If cmd is None, only get a reply.
"""
if cmd is not None:
# Set the socket's timeout
self._sock.settimeout(timeout)
# Send the command
self._sock.sendall((cmd + "\n").encode("ascii"))
# Get the reply
reply = ""
while True:
# Get data from the socket
b = self._sock.recv(256).decode("ascii")
# If we got nothing, the server has closed its end of the socket.
if not b:
raise TimeoutError("connection unexpectedly closed")
# Read one LF-terminated line
for c in b:
if c == "\n":
return reply
elif " " <= c <= "~" and len(reply)<256:
reply += c
def waitauth(self, user = None, wait = _sirfidal_default_auth_wait):
"""Authenticate a user. If user is None, use the current username. If wait
isn't specified, use the default wait for authentication.
Return (AUTHOK, []) if the user is authenticated and the requestor is
another user, (AUTHOK, [[UID #1, None], [UID #2, None], ...]) if the user
is authenticated and the requestor is the user themselves,
(AUTHOK, [[UID #1, None or authtok #1], [UID #2, None or authtok #2], ...)
if the user is authenticated and the requestor is root, or (NOAUTH, [])
if the user is not authenticated.
NOAUTH is 0 and AUTHOK is not 0, so the result may be tested directly as a
condition
"""
# Check the wait parameter
if wait < 0:
raise ValueError("invalid wait")
# Get the current username if the user isn't specified
if user is None:
user = pwd.getpwuid(os.getuid()).pw_name
# Check that the username is valid
if not (user and all([" " <= c <= "~" for c in user])):
raise ValueError("invalid username")
# Send the WAITAUTH command to the server and get the reply
reply = self._command("WAITAUTH {} {}".format(user, wait),
timeout = wait + 5)
# Check that the reply is valid
if re.search(r"^(NOAUTH|AUTHOK( +[0-9a-fA-F]+(:[^\s]+)?)*)$", reply):
f = reply.split()
return (AUTHOK, [[ua[0].upper(), ua[1] if ua[1:] else None] \
for ua in [ua.split(":", 1) \
for ua in f[1:]]]) if f[0] == "AUTHOK" else \
(NOAUTH, [])
else:
raise ValueError("unknown server reply '{}'".format(reply))
def _useradm(self, cmd, user, wait, authtok):
"""Manipulate the user/UID/authtok associations: associate a user and a
UID, optionally with a secondary authentication token (ADDUSER), delete a
user/UID/authtok (DELUSER with wait > 0) or delete all user/UID/authtok
associations (DELUSER with wait < 0).
If user is None, use the current username.
Return OK, NOAUTH, WRITEERR, TIMEOUT, EXISTS or NONE depending on the
command.
OK is > 0 while the other error codes are <= 0, so the command's success
may be tested with a comparison with zero.
"""
# Get the current username if the user isn't specified
if user is None:
user = pwd.getpwuid(os.getuid()).pw_name
# Check that the username is valid
if not (user and all([" " <= c <= "~" for c in user])):
raise ValueError("invalid username")
# Check if the authtok is valid
if authtok is not None and \
not (authtok and all([" " <= c <= "~" for c in authtok])):
raise ValueError("invalid authentication token")
# Send the command to the server and get the reply
reply = self._command("{} {} {}{}".format(cmd, user, wait,
(" " + authtok) if authtok is not None else ""),
timeout = max(5, wait + 5))
# Check that the reply is valid and return the appropriate return value
if reply == "OK":
return OK
elif reply == "NOAUTH":
return NOAUTH
elif reply == "WRITEERR":
return WRITEERR
elif reply == "TIMEOUT" and \
(cmd == "ADDUSER" or (cmd == "DELUSER" and wait >= 0)):
return TIMEOUT
elif reply == "EXISTS" and cmd == "ADDUSER":
return EXISTS
elif reply == "NONE" and cmd == "DELUSER":
return NONE
raise ValueError("unknown server reply '{}'".format(reply))
def adduser(self, user = None, authtok = None,
wait = _sirfidal_default_auth_wait):
"""Add a user/UID/authtok association (authtok optional).
If user is None, use the current username.
If wait isn't specified, use the default wait time for scanning a UID.
Return OK, NOAUTH, WRITEERR, TIMEOUT or EXISTS
OK is > 0 while the other error codes are <= 0, so the command's success
may be tested with a comparison with zero.
"""
# Check the wait parameter
if wait < 0:
raise ValueError("invalid wait")
return self._useradm("ADDUSER", user, wait, authtok)
def deluser(self, user = None, wait = _sirfidal_default_auth_wait):
"""Delete a user/UID/authtok association matching a user/UID pair.
If the user is None, use the current username.
If wait isn't specified, use the default wait time for scanning a UID.
Return OK, NOAUTH, WRITEERR, TIMEOUT or NONE
OK is > 0 while the other error codes are <= 0, so the command's success
may be tested with a comparison with zero.
"""
# Check the wait parameter
if wait < 0:
raise ValueError("invalid wait")
return self._useradm("DELUSER", user, wait, None)
def delalluser(self, user = None):
"""Delete all user/UID/authtok associations matching a user.
If user is None, use the current username.
Return OK, NOAUTH, WRITEERR, TIMEOUT or NONE
OK is > 0 while the other error codes are <= 0, so the command's success
may be tested with a comparison with zero.
"""
return self._useradm("DELUSER", user, -1, None)
def watchnbuids(self, timeout = None):
"""Watch the number of active UIDs in real-time.
If timeout is not None, an exception will be raised if no update is
received in time.
Yield (Total nb of UIDs, delta)
"""
reply = self._command("WATCHNBUIDS", timeout = timeout)
while True:
m = re.findall(r"^NBUIDS +(\+?[0-9]+) +([-\+]?[0-9]+)$", reply)
if m:
yield (int(m[0][0]), int(m[0][1]))
else:
raise ValueError("unknown server reply '{}'".format(reply))
reply = self._command()
def watchuids(self, timeout = None):
"""Watch the list of active UIDs in real-time.
If timeout is not None, an exception will be raised if no update is
received in time.
Yield (AUTHOK, [UID#1, UID#2, ...]) or (NOAUTH, [])
"""
reply = self._command("WATCHUIDS", timeout = timeout)
while True:
if re.search("^(NOAUTH|UIDS( +[0-9a-fA-F]+)*)$", reply):
f = reply.upper().split()
authorized = f[0] == "UIDS"
yield (AUTHOK, f[1:]) if authorized else (NOAUTH, [])
else:
raise ValueError("unknown server reply '{}'".format(reply))
if not authorized:
break
reply = self._command()
def mutex_acquire(self, name, wait = _sirfidal_default_mutex_acq_wait):
"""Acquire a named mutex. If wait isn't specified, use the default wait for
mutex acquisition.
Return OK if the mutex was acquired, or EXISTS if the mutex already exists
or if the client already has acquired too many mutexes already
"""
# Check the wait parameter
if wait < 0:
raise ValueError("invalid wait")
# Check that the mutex name is valid
if not (name and all([" " <= c <= "~" for c in name])):
raise ValueError("invalid mutex name")
# Send the MUTEXACQ command to the server and get the reply
reply = self._command("MUTEXACQ {} {}".format(name, wait),
timeout = wait + 5)
# Check that the reply is valid
if reply in ("OK", "EXISTS"):
return OK if reply == "OK" else EXISTS
else:
raise ValueError("unknown server reply '{}'".format(reply))
def mutex_release(self, name):
"""Release a named mutex.
Return OK if the mutex was released, or NONE if the mutex wasn't acquired
in the first place
"""
# Check that the mutex name is valid
if not (name and all([" " <= c <= "~" for c in name])):
raise ValueError("invalid mutex name")
# Send the MUTEXREL command to the server and get the reply
reply = self._command("MUTEXREL {}".format(name), timeout = 5)
# Check that the reply is valid
if reply in ("OK", "NONE"):
return OK if reply == "OK" else NONE
else:
raise ValueError("unknown server reply '{}'".format(reply))
def close(self):
"""Close the connection to the SiRFIDaL server
"""
if self._sock is not None:
self._sock.close()
def __exit__(self, exc_type, exc_value, exc_traceback):
"""__exit__ method
"""
self.close()
def __del__(self):
"""__del__ method
"""
self.close()