X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=ud-mailgate;h=1ec0e9f503047b2eca2a8a96c151c71f379fb217;hb=703033b7eeaffc61568300877d2d452651388acf;hp=ae86f6311cffaed92ab23faf5eab1d2116c4ead5;hpb=77661e58f39415c6cee20e537d9a65afd7827ca7;p=mirror%2Fuserdir-ldap.git diff --git a/ud-mailgate b/ud-mailgate index ae86f63..1ec0e9f 100755 --- a/ud-mailgate +++ b/ud-mailgate @@ -9,6 +9,8 @@ import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os, commands import pwd, tempfile +import subprocess +import email, email.parser from userdir_gpg import * from userdir_ldap import * @@ -40,12 +42,12 @@ ValidHostNames = [] # will be initialized in later SSHFingerprint = re.compile('^(\d+) ([0-9a-f\:]{47}) (.+)$') SSHRSA1Match = re.compile('^^(.* )?\d+ \d+ \d+') -GenderTable = {"male": 1, - "1": 1, - "female": 2, - "2": 2, - "unspecified": 9, - "9": 9, +GenderTable = {"male": '1', + "1": '1', + "female": '2', + "2": '2', + "unspecified": '9', + "9": '9', }; ArbChanges = {"c": "..", @@ -505,6 +507,9 @@ def FinishConfirmSudopassword(l, uid, Attrs): global SudoPasswd result = "\n" + if len(SudoPasswd) == 0: + return None + res = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+uid, ['sudoPassword']); if len(res) != 1: raise UDFormatError, "Not exactly one hit when searching for user" @@ -554,6 +559,22 @@ def FinishConfirmSudopassword(l, uid, Attrs): return result +def connect_to_ldap_and_check_if_locked(DnRecord): + # Connect to the ldap server + l = connectLDAP() + F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); + AccessPass = F.readline().strip().split(" ") + F.close(); + l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]); + + # Check for a locked account + Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid")); + if (GetAttr(Attrs[0],"userPassword").find("*LK*") != -1) \ + or GetAttr(Attrs[0],"userPassword").startswith("!"): + raise UDNotAllowedError, "This account is locked"; + + return l + # Handle an [almost] arbitary change def HandleChange(Reply,DnRecord,Key): global PlainText; @@ -592,21 +613,13 @@ def HandleChange(Reply,DnRecord,Key): Result = Result + Res + "\n"; # Connect to the ldap server - l = connectLDAP() - F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); - AccessPass = F.readline().strip().split(" ") - F.close(); - - l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]); - oldAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid")); - if ((GetAttr(oldAttrs[0],"userPassword").find("*LK*") != -1) - or GetAttr(oldAttrs[0],"userPassword").startswith("!")): - raise UDNotAllowedError, "This account is locked"; + l = connect_to_ldap_and_check_if_locked(DnRecord) if CommitChanges == 1: # only if we are still good to go try: Res = FinishConfirmSudopassword(l, GetAttr(DnRecord,"uid"), Attrs) - Result = Result + Res + "\n"; + if not Res is None: + Result = Result + Res + "\n"; except Error, e: CommitChanges = 0 Result = Result + "FinishConfirmSudopassword raised an error (%s) - no changes committed\n"%(e); @@ -643,13 +656,23 @@ def HandlePing(Reply,DnRecord,Key): return Reply + TemplateSubst(Subst,open(TemplatesDir+"ping-reply","r").read()); + + +def get_crypttype_preamble(key): + if (key[4] == 1): + type = "Your message was encrypted using PGP 2.x\ncompatibility mode."; + else: + type = "Your message was encrypted using GPG (OpenPGP)\ncompatibility "\ + "mode, without IDEA. This message cannot be decoded using PGP 2.x"; + return type + # Handle a change password email sent to the change password address # (this program called with the chpass argument) def HandleChPass(Reply,DnRecord,Key): # Generate a random password Password = GenPass(); Pass = HashPass(Password); - + # Use GPG to encrypt it Message = GPGEncrypt("Your new password is '" + Password + "'\n",\ "0x"+Key[1],Key[4]); @@ -658,33 +681,15 @@ def HandleChPass(Reply,DnRecord,Key): if Message == None: raise UDFormatError, "Unable to generate the encrypted reply, gpg failed."; - if (Key[4] == 1): - Type = "Your message was encrypted using PGP 2.x\ncompatibility mode."; - else: - Type = "Your message was encrypted using GPG (OpenPGP)\ncompatibility "\ - "mode, without IDEA. This message cannot be decoded using PGP 2.x"; - Subst = {}; Subst["__FROM__"] = ChPassFrom; Subst["__EMAIL__"] = EmailAddress(DnRecord); - Subst["__CRYPTTYPE__"] = Type; + Subst["__CRYPTTYPE__"] = get_crypttype_preamble(Key) Subst["__PASSWORD__"] = Message; Subst["__ADMIN__"] = ReplyTo; Reply = Reply + TemplateSubst(Subst,open(TemplatesDir+"passwd-changed","r").read()); - - # Connect to the ldap server - l = connectLDAP() - F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r"); - AccessPass = F.readline().strip().split(" ") - F.close(); - l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]); - - # Check for a locked account - Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid")); - if (GetAttr(Attrs[0],"userPassword").find("*LK*") != -1) \ - or GetAttr(Attrs[0],"userPassword").startswith("!"): - raise UDNotAllowedError, "This account is locked"; + l = connect_to_ldap_and_check_if_locked(DnRecord) # Modify the password Rec = [(ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass), (ldap.MOD_REPLACE,"shadowLastChange",str(int(time.time()/24/60/60)))]; @@ -692,7 +697,45 @@ def HandleChPass(Reply,DnRecord,Key): l.modify_s(Dn,Rec); return Reply; - + +def HandleChKrbPass(Reply,DnRecord,Key): + # Connect to the ldap server, will throw an exception if account locked. + l = connect_to_ldap_and_check_if_locked(DnRecord) + + user = GetAttr(DnRecord,"uid") + krb_proc = subprocess.Popen( ('ud-krb-reset', user), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.STDOUT) + krb_proc.stdin.close() + out = krb_proc.stdout.readlines() + krb_proc.wait() + exitcode = krb_proc.returncode + + # Use GPG to encrypt it + m = "Tried to reset your kerberos principal's password.\n" + if exitcode == 0: + m += "The exitcode of the reset script was zero, indicating that everything\n" + m += "worked. However, this being software who knows. Script's output below." + else: + m += "The exitcode of the reset script was %d, indicating that something\n"%(exitcode) + m += "went terribly, terribly wrong. Please consult the script's output below\n" + m += "for more information. Contact the admins if you have any questions or\n" + m += "require assitance." + + m += "\n"+''.join( map(lambda x: "| "+x, out) ) + + Message = GPGEncrypt(m, "0x"+Key[1],Key[4]); + if Message == None: + raise UDFormatError, "Unable to generate the encrypted reply, gpg failed."; + + Subst = {}; + Subst["__FROM__"] = ChPassFrom; + Subst["__EMAIL__"] = EmailAddress(DnRecord); + Subst["__CRYPTTYPE__"] = get_crypttype_preamble(Key) + Subst["__PASSWORD__"] = Message; + Subst["__ADMIN__"] = ReplyTo; + Reply = Reply + TemplateSubst(Subst,open(TemplatesDir+"passwd-changed","r").read()); + + return Reply; + # Start of main program # Drop messages from a mailer daemon. @@ -709,8 +752,8 @@ try: # Get the email ErrType = EX_PERMFAIL; ErrMsg = "Failed to understand the email or find a signature:"; - Email = mimetools.Message(sys.stdin,0); - Msg = GetClearSig(Email); + mail = email.parser.Parser().parse(sys.stdin); + Msg = GetClearSig(mail); ErrMsg = "Message is not PGP signed:" if Msg[0].find("-----BEGIN PGP SIGNED MESSAGE-----") == -1 and \ @@ -731,11 +774,8 @@ try: global PlainText; ErrMsg = "Problem stripping MIME headers from the decoded message" if Msg[1] == 1: - try: - Index = pgp.text.index("\n\n") + 2 - except ValueError: - Index = pgp.text.index("\n\r\n") + 3 - PlainText = pgp.text[Index:] + e = email.parser.Parser().parsestr(pgp.text) + PlainText = e.get_payload(decode=True) else: PlainText = pgp.text @@ -758,22 +798,13 @@ try: # Check the signature against the replay cache RC = ReplayCache(ReplayCacheFile); - RC.Clean(); - ErrMsg = "The replay cache rejected your message. Check your clock!"; - Rply = RC.Check(pgp.sig_info); - if Rply != None: - RC.close() - raise UDNotAllowedError, Rply; - RC.Add(pgp.sig_info); - RC.close() + RC.process(pgp.sig_info) # Determine the sender address ErrMsg = "A problem occured while trying to formulate the reply"; - Sender = Email.getheader("Reply-To"); - if Sender == None: - Sender = Email.getheader("From"); - if Sender == None: - raise UDFormatError, "Unable to determine the sender's address"; + Sender = mail['Reply-To'] + if not Sender: Sender = mail['From'] + if not Sender: raise UDFormatError, "Unable to determine the sender's address"; # Formulate a reply Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time())); @@ -790,9 +821,12 @@ try: if sys.argv[1] == "ping": Reply = HandlePing(Reply,Attrs[0],pgp.key_info); elif sys.argv[1] == "chpass": - if PlainText.strip().find("Please change my Debian password") != 0: - raise UDFormatError,"Please send a signed message where the first line of text is the string 'Please change my Debian password'"; - Reply = HandleChPass(Reply,Attrs[0],pgp.key_info); + if PlainText.strip().find("Please change my Debian password") >= 0: + Reply = HandleChPass(Reply,Attrs[0],pgp.key_info); + elif PlainText.strip().find("Please change my Kerberos password") >= 0: + Reply = HandleChKrbPass(Reply,Attrs[0],pgp.key_info); + else: + raise UDFormatError,"Please send a signed message where the first line of text is the string 'Please change my Debian password' or some other string we accept here."; elif sys.argv[1] == "change": Reply = HandleChange(Reply,Attrs[0],pgp.key_info); else: