PNG  IHDR;IDATxܻn0K )(pA 7LeG{ §㻢|ذaÆ 6lذaÆ 6lذaÆ 6lom$^yذag5bÆ 6lذaÆ 6lذa{ 6lذaÆ `}HFkm,mӪôô! x|'ܢ˟;E:9&ᶒ}{v]n&6 h_tڠ͵-ҫZ;Z$.Pkž)!o>}leQfJTu іچ\X=8Rن4`Vwl>nG^is"ms$ui?wbs[m6K4O.4%/bC%t Mז -lG6mrz2s%9s@-k9=)kB5\+͂Zsٲ Rn~GRC wIcIn7jJhۛNCS|j08yiHKֶۛkɈ+;SzL/F*\Ԕ#"5m2[S=gnaPeғL lذaÆ 6l^ḵaÆ 6lذaÆ 6lذa; _ذaÆ 6lذaÆ 6lذaÆ RIENDB`  #^c@@sdZddlmZddlmZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlmZddlZddlmZddlmZddlZddlmZdd lmZdd lmZdd lmZmZm Z m!Z!m"Z"dd l#m$Z$m%Z%dd l&m'Z'm(Z(ddl)m*Z+ddl,m-Z-ddl,m.Z.ddl/m0Z0ddl1m2Z2m3Z3ddl4m5Z5ddl6m7Z7ddl8m9Z9m:Z:m;Z;m<Z<m=Z=m>Z>m?Z?m@Z@ddlAmBZBddlCmDZDddlEmFZFddl#mGZGyJddlHmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQmRZRWnWeSk rddlTmIZImJZJmKZKmLZLmMZMmNZNmOZOmPZPmQZQmRZRnXejUrddlVmWZWnddlXmYZWejUr0eZZ[nej\e]Z^dZ_dZ`eadeDZbd Zcd!Zdd"Zed#Zfd$d%Zgeheid$d&Zjd'eafd(YZkeid)Zlejmend*Zod+Zpd$d,Zqd$d-Zrd.esfd/YZtd0eOfd1YZud2eufd3YZvd4evfd5YZwd6ewfd7YZxd8exfd9YZyd:efd;YZzd<ezfd=YZ{d>esfd?YZ|d@ezfdAYZ}dS(Bs` RPC client and shared RPC client/server functionality. This module adds some additional functionality on top of the ``xmlrpc.client`` module in the Python standard library (``xmlrpclib`` in Python 2). For documentation on the ``xmlrpclib`` module, see: http://docs.python.org/2/library/xmlrpclib.html Also see the `ipaserver.rpcserver` module. i(tabsolute_import(tDecimalN(tx509(t DNSException(tSSLError(turllib(t Connectible(tLDAP_GENERALIZED_TIME_FORMAT(t public_errorst UnknownErrort NetworkErrortXMLRPCMarshallErrort JSONError(terrorst capabilities(tcontextt Connection(tEncoding(tipautil(tsession_storage(tCookie(tDNSNamet query_srv(t_(tcreate_https_connection(tKRB5KDC_ERR_S_PRINCIPAL_UNKNOWNtKRB5KRB_AP_ERR_TKT_EXPIREDt KRB5_FCC_PERMtKRB5_FCC_NOFILEtKRB5_CC_FORMATtKRB5_REALM_CANT_RESOLVEtKRB5_CC_NOTFOUNDt get_principal(tDN(t Principal(tVERSION_WITHOUT_CAPABILITIES(tapi( tBinarytFaulttDateTimetdumpstloadst ServerProxyt Transportt ProtocolErrortMININTtMAXINT(tRemoteDisconnected(t BadStatusLinet ipa_sessionsX-IPA-Session-Cookiecc@s|]}|j|fVqdS(N(terrno(t.0te((s./usr/lib/python2.7/site-packages/ipalib/rpc.pys dscC@sCytj|t|Wn%tk r>}tt|nXdS(s Given a principal create or update the session data for that principal in the persistent secure storage. Raises ValueError if unable to perform the action for any reason. N(Rt store_datatCCACHE_COOKIE_KEYt Exceptiont ValueErrortstr(t principaltdataR4((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyt%update_persistent_client_session_datagscC@s@ytj|tSWn%tk r;}tt|nXdS(s Given a principal return the stored session data for that principal from the persistent secure storage. Raises ValueError if unable to perform the action for any reason. N(Rtget_dataR6R7R8R9(R:R4((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyt#read_persistent_client_session_datatscC@s@ytj|tWn%tk r;}tt|nXdS(s Given a principal remove the session data for that principal from the persistent secure storage. Raises ValueError if unable to perform the action for any reason. N(Rt remove_dataR6R7R8R9(R:R4((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyt%delete_persistent_client_session_datasc@st|ttfkr2tfd|DSt|tratfd|jDSt|tkr}t|St|tkrt |St|t j r|t ks|t krt |St|trt|St|tjr$tjdrt|S|jtSnt|trctjdrVit |d6St |Snt|tr|t |St|tjrtj|jtjjdSt|tj rtj|jtjjdS|S(s Wrap all ``str`` in ``xmlrpc.client.Binary``. Because ``xmlrpc.client.dumps()`` will itself convert all ``unicode`` instances into UTF-8 encoded ``str`` instances, we don't do it here. So in total, when encoding data for an XML-RPC packet, the following transformations occur: * All ``str`` instances are treated as binary data and are wrapped in an ``xmlrpc.client.Binary()`` instance. * Only ``unicode`` instances are treated as character data. They get converted to UTF-8 encoded ``str`` instances (although as mentioned, not by this function). Also see `xml_unwrap()`. :param value: The simple scalar or simple compound value to wrap. c3@s|]}t|VqdS(N(txml_wrap(R3tv(tversion(s./usr/lib/python2.7/site-packages/ipalib/rpc.pys sc3@s*|] \}}|t|fVqdS(N(RA(R3tkRB(RC(s./usr/lib/python2.7/site-packages/ipalib/rpc.pys stdatetime_valuestdns_name_valuest __dns_name__tascii(!ttypetlistttuplet isinstancetdicttitemstbytesR%Rtunicodetsixt integer_typesR-R.R!R9tdatetimeRtclient_has_capabilityR'tstrftimeRRR"t crypto_x509t Certificatetbase64t b64encodet public_bytest x509_EncodingtDERtdecodetCertificateSigningRequest(tvalueRC((RCs./usr/lib/python2.7/site-packages/ipalib/rpc.pyRAs<  *     sUTF-8c@st|ttttfr|S|dkr/|St|trK|jSt|tt frzt fd|DSt|t rd|krt |dSt fd|j DSn>t|t r|jSt|trtjjt|dSt|dS(sI Unwrap all ``xmlrpc.Binary``, decode all ``str`` into ``unicode``. When decoding data from an XML-RPC packet, the following transformations occur: * The binary payloads of all ``xmlrpc.client.Binary`` instances are returned as ``str`` instances. * All ``str`` instances are treated as UTF-8 encoded Unicode strings. They are decoded and the resulting ``unicode`` instance is returned. Also see `xml_wrap()`. :param value: The value to unwrap. :param encoding: The Unicode encoding to use (defaults to ``'UTF-8'``). c3@s|]}t|VqdS(N(t xml_unwrap(R3RB(tencoding(s./usr/lib/python2.7/site-packages/ipalib/rpc.pys sRGc3@s*|] \}}|t|fVqdS(N(R`(R3RDRB(Ra(s./usr/lib/python2.7/site-packages/ipalib/rpc.pys ss%Y%m%dT%H:%M:%SN(RLRPtinttfloattbooltNoneROR]RJRKRMRRNR%R;R'RStstrptimeR9t TypeError(R_Ra((Ras./usr/lib/python2.7/site-packages/ipalib/rpc.pyR`s$    c C@sFt|tkr$t||}nt|d|d|d|dtS(s Encode an XML-RPC data packet, transparently wraping ``params``. This function will wrap ``params`` using `xml_wrap()` and will then encode the XML-RPC data packet using ``xmlrpc.client.dumps()`` (from the Python standard library). For documentation on the ``xmlrpc.client.dumps()`` function, see: http://docs.python.org/library/xmlrpc.client.html#convenience-functions Also see `xml_loads()`. :param params: A ``tuple`` or an ``xmlrpc.client.Fault`` instance. :param methodname: The name of the method to call if this is a request. :param methodresponse: Set this to ``True`` if this is a response. :param encoding: The Unicode encoding to use (defaults to ``'UTF-8'``). t methodnametmethodresponseRat allow_none(RIRKRAR(tTrue(tparamsRCRhRiRa((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyt xml_dumpss t _JSONPrimercB@seZdZd ZeZedZdZedZdZ dZ d Z ed Z ee jd Zd ZRS(sFast JSON primer and pre-converter Prepare a data structure for JSON serialization. In an ideal world, priming could be handled by the default hook of json.dumps(). Unfortunately the hook treats Python 2 str as text while FreeIPA considers str as bytes. The primer uses a couple of tricks to archive maximum performance: * O(1) type look instead of O(n) chain of costly isinstance() calls * __missing__ and __mro__ with caching to handle subclasses * inline code with minor code duplication (func lookup in enc_list/dict) * avoid surplus function calls (e.g. func is _identity, obj.__class__ instead if type(obj)) * function default arguments to turn global into local lookups * avoid re-creation of bound method objects (e.g. result.append) * on-demand lookup of client capabilities with cached values Depending on the client version number, the primer converts: * bytes -> {'__base64__': b64encode} * datetime -> {'__datetime__': LDAP_GENERALIZED_TIME} * DNSName -> {'__dns_name__': unicode} The _ipa_obj_hook() functions unserializes the marked JSON objects to bytes, datetime and DNSName. :see: _ipa_obj_hook RCt _cap_datetimet _cap_dnsnamecC@stt|j||_d|_d|_|ji|t6|t 6|t d6|t 6tt 6t t6tt6|jt6|jtj6|jt6|jt6|jt6|jt6|jtj6|jtj6xtj D]}||||n ||qW|S(N(tappendR(RzRR{tresultRRBR((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyRws    &cC@sVi}xI||D];\}}||j}||kr>|n |||||dkrdSttdd}ttdd}tjdt||t|tsh|g}nd}yIxB|D]:}tj |t |dt j j }|dk rxPqxqxWWn't k r}tjd||dSX|dkrdS|j|}tjd||yt||Wnt k r9}nXdS(s Given the contents of a Set-Cookie header scan the header and extract each cookie contained within until the session cookie is located. Examine the session cookie if the domain and path are specified, if not update the cookie with those values from the request URL. Then write the session cookie into the key store for the principal. If the cookie header is None or the session cookie is not present in the header no action is taken. Context Dependencies: The per thread context is expected to contain: principal The current pricipal the HTTP request was issued for. request_url The URL of the HTTP request. NR:t request_urlsreceived Set-Cookie (%s)'%s't timestamps&unable to parse cookie header '%s': %ss$storing cookie '%s' for principal %s(ReRRRRRIRLRJRtget_named_cookie_from_stringt COOKIE_NAMERStutcnowR7terrorR/R<(Rzt cookie_headerR:R0RtcookieR4t cookie_string((s./usr/lib/python2.7/site-packages/ipalib/rpc.pytstore_session_cookies:           cC@sMtjr|jjd}n|jjd}|j|tj||S(Ns Set-Cookie(RQRRt getheaderstget_allR9RR(RzRR((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyRLs   N(RRRRtRequirementFlagtmutual_authenticationtout_of_sequence_detectionRRrReRRRRkRRRR!RQtPY3RtretcompileR,R/R9R(((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyRDs"      "  >   R(((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyRBUs  t RPCClientcB@steZdZdZeZdZdZdZ dZ dZ ddddddZ dZ dZdZRS( sq Forwarding backend plugin for XML-RPC client. Also see the `ipaserver.rpcserver.xmlserver` plugin. c C@stjj|\}}}}}}g}d|jj} yt| } Wntk rcg} nXxF| D]>} t| jj d} |j dt j | |fqkW||kr|j |n|jd||S(sP Create a list of urls consisting of the available IPA servers. s_ldap._tcp.%s.Rs https://%s%si(RtparseturlparseRtdomainRRR9ttargettrstripRRt format_netlocRtinsert( Rztrpc_urit_schemet_netloctpatht_paramst_queryt _fragmenttserversRtanswerstanswertserver((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyt get_url_listls$   $ cC@sy/t|}|dkrdS|jd}Wn$tk rU}tjd|dSXy%tj|tdt j j }Wn$tk r}tjd|dSX|S(s Retrieves the session cookie for the given principal from the persistent secure storage. Returns None if not found or unable to retrieve the session cookie for any reason, otherwise returns a Cookie object containing the session cookie. sutf-8s%Error reading client session data: %sR1s7Error retrieving cookie from the persistent storage: %sN( R>ReR]R7RRRR2R3RSR4(RzR:R8R4R((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyt*get_session_cookie_from_persistent_storages$    c C@s|}ttdd }|j|}|d krGtjd||Stjd||y|j|Wntjk r}tjd||yt |Wnt k r}nX|Stj k r}tjd||St k r}tj d||SXtjd|j ttd|j tjj|\}}}} } } |j}tjj|||| | | f} | S( sE Attempt to load a session cookie for the current principal from the persistent secure storage. If the cookie is successfully loaded adjust the input url's to point to the session path and insert the session cookie into the per thread context for later insertion into the HTTP request. If the cookie is not successfully loaded then the original url is returned and the per thread context is not modified. Context Dependencies: The per thread context is expected to contain: principal The current pricipal the HTTP request was issued for. The per thread context will be updated with: session_cookie A cookie string to be inserted into the Cookie header of the HTPP request. R:sFfailed to find session_cookie in persistent storage for principal '%s'sKfound session_cookie in persistent storage for principal '%s', cookie: '%s's,deleting session data for principal '%s': %ss,not sending session cookie, URL mismatch: %ss-not sending session cookie, unknown error: %ss(setting session_cookie into context '%s'RN(RRReRXRRthttp_return_okRtExpiredR@R7t URLMismatchR5R+tsetattrRRERFt session_patht urlunparse( Rzturlt original_urlR:RR4tschemetnetlocRORltquerytfragmentt session_url((s./usr/lib/python2.7/site-packages/ipalib/rpc.pytapply_session_cookies@        $ $c C@s|dkr|jjj}n|dkr<|jjj}n|dkrZ|jjj}n|dkrx|jjj}n|t_|j|j }yt d|}t tdd}||kryt tdWqt k rqXnttd||s|j|}nWntjtfk r.nX|j|} itd6dd6|d6} x,| D]$} xtdd D] } | jd r|rt} qt} nt} | d |jd d d|| dtt|jd}|dk r:|jj}|jndS(N(RRtidReRt_ServerProxy__transportR(RzR((s./usr/lib/python2.7/site-packages/ipalib/rpc.pytdestroy_connection]s  cC@s ||S(s"Call the command with given params((RzRRl((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyt _call_commandcscO@sttdd}t|j|}||g}d}x=td|D],}tjd|d||j|y|j||SWqFt k r} t | } tj d| j || j | j tkrt| j } | d| j ntd| j d | j d |qFtk r} ttd d} | r| jd krttd y ttd d} t| Wn#tk r} tj d| nX|jtjjd|jj|jj|jj} tt|jt| |j qFnt!d|d | j"qFt#t$j%fk rD} t!d|d t&| qFt't(fk rq} t)d t&| qFXqFWt!d|d t*ddS(s Forward call to command named ``name`` over XML-RPC. This method will encode and forward an XML-RPC request, and will then decode and return the corresponding XML-RPC response. :param command: The name of the command being forwarded. :param args: Positional arguments to pass to remote command. :param kw: Keyword arguments to pass to remote command. R0iis+[try %d]: Forwarding '%s' to %s server '%s'is"Caught fault %d from server %s: %sRRjR5RVRiR:s1Error trying to remove persisent session data: %st KRB5CCNAMERks.Exceeded number of tries to forward a request.N(+RRReRRrRRtRRR&RRRRRvR R,RxRpR@R7RtostenvironRRRRlRmR\RRt disconnectR terrmsgRtsocketR5R9t OverflowErrorRgR R(RzRRtkwRVRRlt max_triesttry_numR4R5RR:R~((s./usr/lib/python2.7/site-packages/ipalib/rpc.pytforwardisX             N(RRRReR]R*RuRRoRWRXRfRRRR(((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyRD_s  F o  t xmlclientcB@s)eZdZeZdZdZdZRS(s/ipa/session/xmltxmlt xmlrpc_uricC@s;|djdt}t||}||}t|S(NiRC(RR#RAR`(RzRRlRCR((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyRs (RRR]R*RuRRoR(((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyRs tJSONServerProxycB@s#eZdZdZdZRS(cC@sgtjj|}|jdkr0tdn|j|_|j|_||_ ||_ ||_ dS(Nthttpthttpssunsupported XML-RPC protocol(RR( RREturlsplitRatIOErrorRbt_JSONServerProxy__hostROt_JSONServerProxy__handlert_JSONServerProxy__transportt_JSONServerProxy__verboseR(RzRkRhRaRRjt split_uri((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyRrs    c C@s|jdk}it|d6|d6dd6}|djdt}t||d|}|rttjd |n|jj|j |j |j d d |jd k}|rtjd t j t j|dtddnyt|}Wn(tk r}tdt|nX|jd}|ryt|d} WnAtk rtd|jdd|jdd|j qX|jdi} |d| d<| | n|dS(NiRRliRiRCRs Request: %ssutf-8Ris Response: %sRRiR5RjRRVR;R(RRPRR#RRRtRtrequestRRR RR(R)RkRR8R R9RvtKeyErrorR ( RzRRt print_jsontpayloadRCRR4R5t error_classR((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyt __requestsF!  ( c@sfd}|S(Nc@sj|S(N(t_JSONServerProxy__request(R(RRz(s./usr/lib/python2.7/site-packages/ipalib/rpc.pyt_calls((RzRR((RRzs./usr/lib/python2.7/site-packages/ipalib/rpc.pyt __getattr__s(RRRrRR(((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyRs  0t jsonclientcB@s eZdZeZdZdZRS(s/ipa/session/jsonRt jsonrpc_uri(RRR]RRuRRo(((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyRs(~Rt __future__RtdecimalRRStloggingRRRXRR@RR$t cryptographyRRVRt dns.exceptionRtsslRRQt six.movesRtipalib.backendRtipalib.constantsRt ipalib.errorsRR R R R tipalibR Rtipalib.requestRRt ipalib.x509RR[t ipapythonRRtipapython.cookieRtipapython.dnsutilRRt ipalib.textRt ipalib.utilRtipalib.krb_utilsRRRRRRRR t ipapython.dnR!tipapython.kerberosR"tipalib.capabilitiesR#R$t xmlrpclibR%R&R'R(R)R*R+R,R-R.t ImportErrort xmlrpc.clientR?t http.clientR/thttplibR0R9RPt getLoggerRRR3R6RMRvR<R>R@RAR`ReR RmRnRRRJRRRRRRRRRRRBRDRRR(((s./usr/lib/python2.7/site-packages/ipalib/rpc.pyts           (:J J    A + |      R H