1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
samba-mirror/python/samba/getopt.py
Nikola Radovanovic 6a5d03e2f7 samba-tool: Use authentication file to pass credentials
In order not to pass credentials in clear-text directly over command line, this is a patch to store username/password/domain in a file and use it during domain join for example.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15031

Signed-off-by: Nikola Radovanovic <radovanovic.extern@univention.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-10-04 02:48:37 +00:00

439 lines
17 KiB
Python

# Samba-specific bits for optparse
# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
"""Support for parsing Samba-related command-line options."""
__docformat__ = "restructuredText"
import optparse
from copy import copy
import os
from samba.credentials import (
Credentials,
AUTO_USE_KERBEROS,
DONT_USE_KERBEROS,
MUST_USE_KERBEROS,
)
import sys
OptionError = optparse.OptionValueError
class SambaOptions(optparse.OptionGroup):
"""General Samba-related command line options."""
def __init__(self, parser):
from samba import fault_setup
fault_setup()
from samba.param import LoadParm
optparse.OptionGroup.__init__(self, parser, "Samba Common Options")
self.add_option("-s", "--configfile", action="callback",
type=str, metavar="FILE", help="Configuration file",
callback=self._load_configfile)
self.add_option("-d", "--debuglevel", action="callback",
type=str, metavar="DEBUGLEVEL", help="debug level",
callback=self._set_debuglevel)
self.add_option("--option", action="callback",
type=str, metavar="OPTION",
help="set smb.conf option from command line",
callback=self._set_option)
self.add_option("--realm", action="callback",
type=str, metavar="REALM", help="set the realm name",
callback=self._set_realm)
self._configfile = None
self._lp = LoadParm()
self.realm = None
def get_loadparm_path(self):
"""Return path to the smb.conf file specified on the command line."""
return self._configfile
def _load_configfile(self, option, opt_str, arg, parser):
self._configfile = arg
def _set_debuglevel(self, option, opt_str, arg, parser):
try:
self._lp.set('debug level', arg)
except RuntimeError:
raise OptionError(f"invalid -d/--debug value: '{arg}'")
parser.values.debuglevel = arg
def _set_realm(self, option, opt_str, arg, parser):
try:
self._lp.set('realm', arg)
except RuntimeError:
raise OptionError(f"invalid --realm value: '{arg}'")
self.realm = arg
def _set_option(self, option, opt_str, arg, parser):
if arg.find('=') == -1:
raise optparse.OptionValueError(
"--option option takes a 'a=b' argument")
a = arg.split('=', 1)
try:
self._lp.set(a[0], a[1])
except Exception as e:
raise optparse.OptionValueError(
"invalid --option option value %r: %s" % (arg, e))
def get_loadparm(self):
"""Return loadparm object with data specified on the command line."""
if self._configfile is not None:
self._lp.load(self._configfile)
elif os.getenv("SMB_CONF_PATH") is not None:
self._lp.load(os.getenv("SMB_CONF_PATH"))
else:
self._lp.load_default()
return self._lp
class Samba3Options(SambaOptions):
"""General Samba-related command line options with an s3 param."""
def __init__(self, parser):
SambaOptions.__init__(self, parser)
from samba.samba3 import param as s3param
self._lp = s3param.get_context()
class VersionOptions(optparse.OptionGroup):
"""Command line option for printing Samba version."""
def __init__(self, parser):
optparse.OptionGroup.__init__(self, parser, "Version Options")
self.add_option("-V", "--version", action="callback",
callback=self._display_version,
help="Display version number")
def _display_version(self, option, opt_str, arg, parser):
import samba
print(samba.version)
sys.exit(0)
def parse_kerberos_arg_legacy(arg, opt_str):
if arg.lower() in ["yes", 'true', '1']:
return MUST_USE_KERBEROS
elif arg.lower() in ["no", 'false', '0']:
return DONT_USE_KERBEROS
elif arg.lower() in ["auto"]:
return AUTO_USE_KERBEROS
else:
raise optparse.OptionValueError("invalid %s option value: %s" %
(opt_str, arg))
def parse_kerberos_arg(arg, opt_str):
if arg.lower() == 'required':
return MUST_USE_KERBEROS
elif arg.lower() == 'desired':
return AUTO_USE_KERBEROS
elif arg.lower() == 'off':
return DONT_USE_KERBEROS
else:
raise optparse.OptionValueError("invalid %s option value: %s" %
(opt_str, arg))
class CredentialsOptions(optparse.OptionGroup):
"""Command line options for specifying credentials."""
def __init__(self, parser, special_name=None):
self.special_name = special_name
if special_name is not None:
self.section = "Credentials Options (%s)" % special_name
else:
self.section = "Credentials Options"
self.ask_for_password = True
self.ipaddress = None
self.machine_pass = False
optparse.OptionGroup.__init__(self, parser, self.section)
self._add_option("--simple-bind-dn", metavar="DN", action="callback",
callback=self._set_simple_bind_dn, type=str,
help="DN to use for a simple bind")
self._add_option("--password", metavar="PASSWORD", action="callback",
help="Password", type=str, callback=self._set_password)
self._add_option("-U", "--username", metavar="USERNAME",
action="callback", type=str,
help="Username", callback=self._parse_username)
self._add_option("-W", "--workgroup", metavar="WORKGROUP",
action="callback", type=str,
help="Workgroup", callback=self._parse_workgroup)
self._add_option("-N", "--no-pass", action="callback",
help="Don't ask for a password",
callback=self._set_no_password)
self._add_option("", "--ipaddress", metavar="IPADDRESS",
action="callback", type=str,
help="IP address of server",
callback=self._set_ipaddress)
self._add_option("-P", "--machine-pass",
action="callback",
help="Use stored machine account password",
callback=self._set_machine_pass)
self._add_option("--use-kerberos", metavar="desired|required|off",
action="callback", type=str,
help="Use Kerberos authentication", callback=self._set_kerberos)
self._add_option("--use-krb5-ccache", metavar="KRB5CCNAME",
action="callback", type=str,
help="Kerberos Credentials cache",
callback=self._set_krb5_ccache)
self._add_option("-A", "--authentication-file", metavar="AUTHFILE",
action="callback", type=str,
help="Authentication file",
callback=self._set_auth_file)
# LEGACY
self._add_option("-k", "--kerberos", metavar="KERBEROS",
action="callback", type=str,
help="DEPRECATED: Migrate to --use-kerberos", callback=self._set_kerberos_legacy)
self.creds = Credentials()
def _ensure_secure_proctitle(self, opt_str, secret_data, data_type="password"):
""" Make sure no sensitive data (e.g. password) resides in proctitle. """
import re
try:
import setproctitle
except ModuleNotFoundError:
msg = ("WARNING: Using %s on command line is insecure. "
"Please install the setproctitle python module.\n"
% data_type)
sys.stderr.write(msg)
sys.stderr.flush()
return False
# Regex to search and replace secret data + option with.
# .*[ ]+ -> Before the option must be one or more spaces.
# [= ] -> The option and the secret data might be separated by space
# or equal sign.
# [ ]*.* -> After the secret data might be one, many or no space.
pass_opt_re_str = "(.*[ ]+)(%s[= ]%s)([ ]*.*)" % (opt_str, secret_data)
pass_opt_re = re.compile(pass_opt_re_str)
# Get current proctitle.
cur_proctitle = setproctitle.getproctitle()
# Make sure we build the correct regex.
if not pass_opt_re.match(cur_proctitle):
msg = ("Unable to hide %s in proctitle. This is most likely "
"a bug!\n" % data_type)
sys.stderr.write(msg)
sys.stderr.flush()
return False
# String to replace secret data with.
secret_data_replacer = "xxx"
# Build string to replace secret data and option with. And as we dont
# want to change anything else than the secret data within the proctitle
# we have to check if the option was passed with space or equal sign as
# separator.
opt_pass_with_eq = "%s=%s" % (opt_str, secret_data)
opt_pass_part = re.sub(pass_opt_re_str, r'\2', cur_proctitle)
if opt_pass_part == opt_pass_with_eq:
replace_str = "%s=%s" % (opt_str, secret_data_replacer)
else:
replace_str = "%s %s" % (opt_str, secret_data_replacer)
# Build new proctitle:
new_proctitle = re.sub(pass_opt_re_str,
r'\1' + replace_str + r'\3',
cur_proctitle)
# Set new proctitle.
setproctitle.setproctitle(new_proctitle)
def _add_option(self, *args1, **kwargs):
if self.special_name is None:
return self.add_option(*args1, **kwargs)
args2 = ()
for a in args1:
if not a.startswith("--"):
continue
args2 += (a.replace("--", "--%s-" % self.special_name),)
self.add_option(*args2, **kwargs)
def _parse_username(self, option, opt_str, arg, parser):
self.creds.parse_string(arg)
self.machine_pass = False
def _parse_workgroup(self, option, opt_str, arg, parser):
self.creds.set_domain(arg)
def _set_password(self, option, opt_str, arg, parser):
self._ensure_secure_proctitle(opt_str, arg, "password")
self.creds.set_password(arg)
self.ask_for_password = False
self.machine_pass = False
def _set_no_password(self, option, opt_str, arg, parser):
self.ask_for_password = False
def _set_machine_pass(self, option, opt_str, arg, parser):
self.machine_pass = True
def _set_ipaddress(self, option, opt_str, arg, parser):
self.ipaddress = arg
def _set_kerberos_legacy(self, option, opt_str, arg, parser):
print('WARNING: The option -k|--kerberos is deprecated!')
self.creds.set_kerberos_state(parse_kerberos_arg_legacy(arg, opt_str))
def _set_kerberos(self, option, opt_str, arg, parser):
self.creds.set_kerberos_state(parse_kerberos_arg(arg, opt_str))
def _set_simple_bind_dn(self, option, opt_str, arg, parser):
self.creds.set_bind_dn(arg)
def _set_krb5_ccache(self, option, opt_str, arg, parser):
self.creds.set_kerberos_state(MUST_USE_KERBEROS)
self.creds.set_named_ccache(arg)
def _set_auth_file(self, option, opt_str, arg, parser):
if os.path.exists(arg):
self.creds.parse_file(arg)
self.ask_for_password = False
self.machine_pass = False
def get_credentials(self, lp, fallback_machine=False):
"""Obtain the credentials set on the command-line.
:param lp: Loadparm object to use.
:return: Credentials object
"""
self.creds.guess(lp)
if self.machine_pass:
self.creds.set_machine_account(lp)
elif self.ask_for_password:
self.creds.set_cmdline_callbacks()
# possibly fallback to using the machine account, if we have
# access to the secrets db
if fallback_machine and not self.creds.authentication_requested():
try:
self.creds.set_machine_account(lp)
except Exception:
pass
return self.creds
class CredentialsOptionsDouble(CredentialsOptions):
"""Command line options for specifying credentials of two servers."""
def __init__(self, parser):
CredentialsOptions.__init__(self, parser)
self.no_pass2 = True
self.add_option("--simple-bind-dn2", metavar="DN2", action="callback",
callback=self._set_simple_bind_dn2, type=str,
help="DN to use for a simple bind")
self.add_option("--password2", metavar="PASSWORD2", action="callback",
help="Password", type=str,
callback=self._set_password2)
self.add_option("--username2", metavar="USERNAME2",
action="callback", type=str,
help="Username for second server",
callback=self._parse_username2)
self.add_option("--workgroup2", metavar="WORKGROUP2",
action="callback", type=str,
help="Workgroup for second server",
callback=self._parse_workgroup2)
self.add_option("--no-pass2", action="store_true",
help="Don't ask for a password for the second server")
self.add_option("--use-kerberos2", metavar="desired|required|off",
action="callback", type=str,
help="Use Kerberos authentication", callback=self._set_kerberos2)
# LEGACY
self.add_option("--kerberos2", metavar="KERBEROS2",
action="callback", type=str,
help="Use Kerberos", callback=self._set_kerberos2_legacy)
self.creds2 = Credentials()
def _parse_username2(self, option, opt_str, arg, parser):
self.creds2.parse_string(arg)
def _parse_workgroup2(self, option, opt_str, arg, parser):
self.creds2.set_domain(arg)
def _set_password2(self, option, opt_str, arg, parser):
self.creds2.set_password(arg)
self.no_pass2 = False
def _set_kerberos2_legacy(self, option, opt_str, arg, parser):
self.creds2.set_kerberos_state(parse_kerberos_arg(arg, opt_str))
def _set_kerberos2(self, option, opt_str, arg, parser):
self.creds2.set_kerberos_state(parse_kerberos_arg(arg, opt_str))
def _set_simple_bind_dn2(self, option, opt_str, arg, parser):
self.creds2.set_bind_dn(arg)
def get_credentials2(self, lp, guess=True):
"""Obtain the credentials set on the command-line.
:param lp: Loadparm object to use.
:param guess: Try guess Credentials from environment
:return: Credentials object
"""
if guess:
self.creds2.guess(lp)
elif not self.creds2.get_username():
self.creds2.set_anonymous()
if self.no_pass2:
self.creds2.set_cmdline_callbacks()
return self.creds2
# Custom option type to allow the input of sizes using byte, kb, mb ...
# units, e.g. 2Gb, 4KiB ...
# e.g. Option("--size", type="bytes", metavar="SIZE")
#
def check_bytes(option, opt, value):
multipliers = {
"B" : 1,
"KB" : 1024,
"MB" : 1024 * 1024,
"GB" : 1024 * 1024 * 1024}
# strip out any spaces
v = value.replace(" ", "")
# extract the numeric prefix
digits = ""
while v and v[0:1].isdigit() or v[0:1] == '.':
digits += v[0]
v = v[1:]
try:
m = float(digits)
except ValueError:
msg = ("{0} option requires a numeric value, "
"with an optional unit suffix").format(opt)
raise optparse.OptionValueError(msg)
# strip out the 'i' and convert to upper case so
# kib Kib kb KB are all equivalent
suffix = v.upper().replace("I", "")
try:
return m * multipliers[suffix]
except KeyError as k:
msg = ("{0} invalid suffix '{1}', "
"should be B, Kb, Mb or Gb").format(opt, v)
raise optparse.OptionValueError(msg)
class SambaOption(optparse.Option):
TYPES = optparse.Option.TYPES + ("bytes",)
TYPE_CHECKER = copy(optparse.Option.TYPE_CHECKER)
TYPE_CHECKER["bytes"] = check_bytes