search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
schema: Re-work extended rights handling in provision (prep for 2012R2)
[Samba.git] / libgpo / pygpo.c
blobd7bb17382b25d7b56d76f762c91abff193455cb7
1 /*
2 Unix SMB/CIFS implementation.
3 Copyright (C) Luke Morrison <luc785@hotmail.com> 2013
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 3 of the License, or
8 (at your option) any later version.
9
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
14
15 You should have received a copy of the GNU General Public License
16 along with this program. If not, see <http://www.gnu.org/licenses/>.
17 */
18
19 #include <Python.h>
20 #include "includes.h"
21 #include "version.h"
22 #include "param/pyparam.h"
23 #include "gpo.h"
24 #include "ads.h"
25 #include "secrets.h"
26 #include "../libds/common/flags.h"
27 #include "librpc/rpc/pyrpc_util.h"
28 #include "auth/credentials/pycredentials.h"
29 #include "libcli/util/pyerrors.h"
30
31 /* A Python C API module to use LIBGPO */
32
33 #define GPO_getter(ATTR) \
34 static PyObject* GPO_get_##ATTR(PyObject *self, void *closure) \
35 { \
36 struct GROUP_POLICY_OBJECT *gpo_ptr \
37 = pytalloc_get_ptr(self); \
38 \
39 if (gpo_ptr->ATTR) \
40 return PyString_FromString(gpo_ptr->ATTR); \
41 else \
42 return Py_None; \
43 }
44 GPO_getter(ds_path)
45 GPO_getter(file_sys_path)
46 GPO_getter(display_name)
47 GPO_getter(name)
48 GPO_getter(link)
49 GPO_getter(user_extensions)
50 GPO_getter(machine_extensions)
51
52 static PyGetSetDef GPO_setters[] = {
53 {discard_const_p(char, "ds_path"), (getter)GPO_get_ds_path, NULL, NULL,
54 NULL},
55 {discard_const_p(char, "file_sys_path"), (getter)GPO_get_file_sys_path,
56 NULL, NULL, NULL},
57 {discard_const_p(char, "display_name"), (getter)GPO_get_display_name, NULL,
58 NULL, NULL},
59 {discard_const_p(char, "name"), (getter)GPO_get_name, NULL, NULL, NULL},
60 {discard_const_p(char, "link"), (getter)GPO_get_link, NULL, NULL, NULL},
61 {discard_const_p(char, "user_extensions"), (getter)GPO_get_user_extensions,
62 NULL, NULL, NULL},
63 {discard_const_p(char, "machine_extensions"),
64 (getter)GPO_get_machine_extensions, NULL, NULL, NULL},
65 {NULL}
66 };
67
68 static PyObject *py_gpo_get_unix_path(PyObject *self, PyObject *args,
69 PyObject *kwds)
70 {
71 NTSTATUS status;
72 const char *cache_dir = NULL;
73 PyObject *ret = Py_None;
74 char *unix_path = NULL;
75 TALLOC_CTX *frame = NULL;
76 static const char *kwlist[] = {"cache_dir", NULL};
77 struct GROUP_POLICY_OBJECT *gpo_ptr \
78 = (struct GROUP_POLICY_OBJECT *)pytalloc_get_ptr(self);
79
80 if (!PyArg_ParseTupleAndKeywords(args, kwds, "|s",
81 discard_const_p(char *, kwlist),
82 &cache_dir)) {
83 PyErr_SetString(PyExc_SystemError,
84 "Failed to parse arguments to gpo_get_unix_path()");
85 goto out;
86 }
87
88 if (!cache_dir) {
89 cache_dir = cache_path(GPO_CACHE_DIR);
90 if (!cache_dir) {
91 PyErr_SetString(PyExc_MemoryError,
92 "Failed to determine gpo cache dir");
93 goto out;
94 }
95 }
96
97 frame = talloc_stackframe();
98
99 status = gpo_get_unix_path(frame, cache_dir, gpo_ptr, &unix_path);
100
101 TALLOC_FREE(frame);
102
103 if (!NT_STATUS_IS_OK(status)) {
104 PyErr_SetString(PyExc_SystemError,
105 "Failed to determine gpo unix path");
106 goto out;
107 }
108
109 ret = PyString_FromString(unix_path);
110
111 out:
112 return ret;
113 }
114
115 static PyMethodDef GPO_methods[] = {
116 {"get_unix_path", (PyCFunction)py_gpo_get_unix_path, METH_KEYWORDS, NULL },
117 {NULL}
118 };
119
120 static PyTypeObject GPOType = {
121 PyVarObject_HEAD_INIT(NULL, 0)
122 .tp_name = "gpo.GROUP_POLICY_OBJECT",
123 .tp_doc = "GROUP_POLICY_OBJECT",
124 .tp_getset = GPO_setters,
125 .tp_methods = GPO_methods,
126 .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
127 };
128
129 typedef struct {
130 PyObject_HEAD
131 ADS_STRUCT *ads_ptr;
132 struct cli_credentials *cli_creds;
133 } ADS;
134
135 static void py_ads_dealloc(ADS* self)
136 {
137 ads_destroy(&(self->ads_ptr));
138 Py_TYPE(self)->tp_free((PyObject*)self);
139 }
140
141 static PyObject* py_ads_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
142 {
143 ADS *self;
144 self = (ADS*)type->tp_alloc(type, 0);
145 return (PyObject*)self;
146 }
147
148 static PyObject* py_ads_connect(ADS *self);
149 static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds)
150 {
151 const char *realm = NULL;
152 const char *workgroup = NULL;
153 const char *ldap_server = NULL;
154 PyObject *py_creds = NULL;
155 PyObject *lp_obj = NULL;
156 struct loadparm_context *lp_ctx = NULL;
157
158 static const char *kwlist[] = {"ldap_server", "loadparm_context",
159 "credentials", NULL};
160 if (!PyArg_ParseTupleAndKeywords(args, kwds, "sO|O",
161 discard_const_p(char *, kwlist),
162 &ldap_server, &lp_obj, &py_creds))
163 return -1;
164
165 if (py_creds) {
166 if (!py_check_dcerpc_type(py_creds, "samba.credentials",
167 "Credentials")) {
168 PyErr_Format(PyExc_TypeError,
169 "Expected samba.credentaials "
170 "for credentials argument");
171 return -1;
172 }
173 self->cli_creds
174 = PyCredentials_AsCliCredentials(py_creds);
175 }
176
177 if (lp_obj) {
178 bool ok;
179 lp_ctx = pytalloc_get_type(lp_obj, struct loadparm_context);
180 if (lp_ctx == NULL) {
181 return -1;
182 }
183 ok = lp_load_initial_only(lp_ctx->szConfigFile);
184 if (!ok) {
185 return -1;
186 }
187 }
188
189 if (self->cli_creds) {
190 realm = cli_credentials_get_realm(self->cli_creds);
191 workgroup = cli_credentials_get_domain(self->cli_creds);
192 } else {
193 realm = lp_realm();
194 workgroup = lp_workgroup();
195 if (!ldap_server) return -1;
196 }
197
198 if ( !(self->ads_ptr = ads_init(realm, workgroup, ldap_server)) )
199 return -1;
200
201 return 0;
202 }
203
204 static PyObject* py_ads_connect(ADS *self)
205 {
206 ADS_STATUS status;
207 TALLOC_CTX *frame = talloc_stackframe();
208 if (self->cli_creds) {
209 self->ads_ptr->auth.user_name =
210 SMB_STRDUP(cli_credentials_get_username(self->cli_creds));
211 self->ads_ptr->auth.flags |= ADS_AUTH_USER_CREDS;
212 self->ads_ptr->auth.password =
213 SMB_STRDUP(cli_credentials_get_password(self->cli_creds));
214 self->ads_ptr->auth.realm =
215 SMB_STRDUP(cli_credentials_get_realm(self->cli_creds));
216
217 status = ads_connect_user_creds(self->ads_ptr);
218 if (!ADS_ERR_OK(status)) {
219 PyErr_SetString(PyExc_SystemError, "ads_connect() failed");
220 TALLOC_FREE(frame);
221 Py_RETURN_FALSE;
222 }
223 } else {
224 char *passwd;
225
226 if (asprintf(&(self->ads_ptr->auth.user_name), "%s$",
227 lp_netbios_name()) == -1) {
228 PyErr_SetString(PyExc_SystemError, "Failed to asprintf");
229 TALLOC_FREE(frame);
230 Py_RETURN_FALSE;
231 } else
232 self->ads_ptr->auth.flags |= ADS_AUTH_USER_CREDS;
233 if (!secrets_init()) {
234 PyErr_SetString(PyExc_SystemError, "secrets_init() failed");
235 TALLOC_FREE(frame);
236 Py_RETURN_FALSE;
237 }
238 if (!(passwd =
239 secrets_fetch_machine_password(self->ads_ptr->server.workgroup,
240 NULL, NULL))) {
241 PyErr_SetString(PyExc_SystemError,
242 "Failed to fetch the machine account password");
243 TALLOC_FREE(frame);
244 Py_RETURN_FALSE;
245 }
246 self->ads_ptr->auth.password = smb_xstrdup(passwd);
247 self->ads_ptr->auth.realm = smb_xstrdup(self->ads_ptr->server.realm);
248 if (!strupper_m(self->ads_ptr->auth.realm)) {
249 PyErr_SetString(PyExc_SystemError, "Failed to strdup");
250 TALLOC_FREE(frame);
251 SAFE_FREE(passwd);
252 Py_RETURN_FALSE;
253 }
254
255 status = ads_connect(self->ads_ptr);
256 if (!ADS_ERR_OK(status)) {
257 PyErr_SetString(PyExc_SystemError, "ads_connect() failed");
258 TALLOC_FREE(frame);
259 SAFE_FREE(passwd);
260 Py_RETURN_FALSE;
261 }
262 }
263
264 TALLOC_FREE(frame);
265 Py_RETURN_TRUE;
266 }
267
268 /* Parameter mapping and functions for the GP_EXT struct */
269 void initgpo(void);
270
271 /* Global methods aka do not need a special pyobject type */
272 static PyObject *py_gpo_get_sysvol_gpt_version(PyObject * self,
273 PyObject * args)
274 {
275 TALLOC_CTX *tmp_ctx = NULL;
276 char *unix_path;
277 char *display_name = NULL;
278 uint32_t sysvol_version = 0;
279 PyObject *result;
280 NTSTATUS status;
281
282 tmp_ctx = talloc_new(NULL);
283
284 if (!PyArg_ParseTuple(args, "s", &unix_path)) {
285 return NULL;
286 }
287 status = gpo_get_sysvol_gpt_version(tmp_ctx, unix_path,
288 &sysvol_version,
289 &display_name);
290 if (!NT_STATUS_IS_OK(status)) {
291 PyErr_SetNTSTATUS(status);
292 TALLOC_FREE(tmp_ctx);
293 return NULL;
294 }
295
296 talloc_free(tmp_ctx);
297 result = Py_BuildValue("[s,i]", display_name, sysvol_version);
298 return result;
299 }
300
301 static ADS_STATUS find_samaccount(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx,
302 const char *samaccountname,
303 uint32_t *uac_ret, const char **dn_ret)
304 {
305 ADS_STATUS status;
306 const char *attrs[] = { "userAccountControl", NULL };
307 const char *filter;
308 LDAPMessage *res = NULL;
309 char *dn = NULL;
310 uint32_t uac = 0;
311
312 filter = talloc_asprintf(mem_ctx, "(sAMAccountName=%s)", samaccountname);
313 if (filter == NULL) {
314 status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
315 goto out;
316 }
317
318 status = ads_do_search_all(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE,
319 filter, attrs, &res);
320
321 if (!ADS_ERR_OK(status)) {
322 goto out;
323 }
324
325 if (ads_count_replies(ads, res) != 1) {
326 status = ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
327 goto out;
328 }
329
330 dn = ads_get_dn(ads, talloc_tos(), res);
331 if (dn == NULL) {
332 status = ADS_ERROR(LDAP_NO_MEMORY);
333 goto out;
334 }
335
336 if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
337 status = ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
338 goto out;
339 }
340
341 if (uac_ret) {
342 *uac_ret = uac;
343 }
344
345 if (dn_ret) {
346 *dn_ret = talloc_strdup(mem_ctx, dn);
347 if (!*dn_ret) {
348 status = ADS_ERROR(LDAP_NO_MEMORY);
349 goto out;
350 }
351 }
352 out:
353 TALLOC_FREE(dn);
354 ads_msgfree(ads, res);
355
356 return status;
357 }
358
359 static PyObject *py_ads_get_gpo_list(ADS *self, PyObject *args, PyObject *kwds)
360 {
361 TALLOC_CTX *frame = NULL;
362 struct GROUP_POLICY_OBJECT *gpo = NULL, *gpo_list = NULL;
363 ADS_STATUS status;
364 const char *samaccountname = NULL;
365 const char *dn = NULL;
366 uint32_t uac = 0;
367 uint32_t flags = 0;
368 struct security_token *token = NULL;
369 PyObject *ret = Py_None;
370 TALLOC_CTX *gpo_ctx;
371 size_t list_size;
372 size_t i;
373
374 static const char *kwlist[] = {"samaccountname", NULL};
375 if (!PyArg_ParseTupleAndKeywords(args, kwds, "s",
376 discard_const_p(char *, kwlist),
377 &samaccountname)) {
378 PyErr_SetString(PyExc_SystemError,
379 "Failed to parse arguments to py_ads_get_gpo_list()");
380 goto out;
381 }
382
383 frame = talloc_stackframe();
384
385 status = find_samaccount(self->ads_ptr, frame, samaccountname, &uac, &dn);
386 if (!ADS_ERR_OK(status)) {
387 TALLOC_FREE(frame);
388 PyErr_SetString(PyExc_SystemError, "Failed to find samAccountName");
389 goto out;
390 }
391
392 if (uac & UF_WORKSTATION_TRUST_ACCOUNT || uac & UF_SERVER_TRUST_ACCOUNT) {
393 flags |= GPO_LIST_FLAG_MACHINE;
394 status = gp_get_machine_token(self->ads_ptr, frame, dn, &token);
395 } else {
396 status = ads_get_sid_token(self->ads_ptr, frame, dn, &token);
397 }
398 if (!ADS_ERR_OK(status)) {
399 TALLOC_FREE(frame);
400 PyErr_SetString(PyExc_SystemError, "Failed to get token");
401 goto out;
402 }
403
404 gpo_ctx = talloc_new(frame);
405 status = ads_get_gpo_list(self->ads_ptr, gpo_ctx, dn, flags, token,
406 &gpo_list);
407 if (!ADS_ERR_OK(status)) {
408 TALLOC_FREE(frame);
409 PyErr_SetString(PyExc_SystemError, "Failed to fetch GPO list");
410 goto out;
411 }
412
413 /* Convert the C linked list into a python list */
414 list_size = 0;
415 for (gpo = gpo_list; gpo != NULL; gpo = gpo->next) {
416 list_size++;
417 }
418
419 i = 0;
420 ret = PyList_New(list_size);
421 if (ret == NULL) {
422 TALLOC_FREE(frame);
423 goto out;
424 }
425
426 for (gpo = gpo_list; gpo != NULL; gpo = gpo->next) {
427 PyObject *obj = pytalloc_reference_ex(&GPOType,
428 gpo_ctx, gpo);
429 if (obj == NULL) {
430 TALLOC_FREE(frame);
431 goto out;
432 }
433
434 PyList_SetItem(ret, i, obj);
435 i++;
436 }
437
438 out:
439
440 TALLOC_FREE(frame);
441 return ret;
442 }
443
444 static PyMethodDef ADS_methods[] = {
445 { "connect", (PyCFunction)py_ads_connect, METH_NOARGS,
446 "Connect to the LDAP server" },
447 { "get_gpo_list", (PyCFunction)py_ads_get_gpo_list, METH_KEYWORDS, NULL },
448 { NULL }
449 };
450
451 static PyTypeObject ads_ADSType = {
452 .tp_name = "gpo.ADS_STRUCT",
453 .tp_basicsize = sizeof(ADS),
454 .tp_dealloc = (destructor)py_ads_dealloc,
455 .tp_flags = Py_TPFLAGS_DEFAULT,
456 .tp_doc = "ADS struct",
457 .tp_methods = ADS_methods,
458 .tp_init = (initproc)py_ads_init,
459 .tp_new = py_ads_new,
460 };
461
462 static PyMethodDef py_gpo_methods[] = {
463 {"gpo_get_sysvol_gpt_version", (PyCFunction) py_gpo_get_sysvol_gpt_version,
464 METH_VARARGS, NULL},
465 {NULL}
466 };
467
468 /* Will be called by python when loading this module */
469 void initgpo(void)
470 {
471 PyObject *m;
472
473 debug_setup_talloc_log();
474 /* Instantiate the types */
475 m = Py_InitModule3("gpo", py_gpo_methods, "libgpo python bindings");
476 if (m == NULL) return;
477 PyModule_AddObject(m, "version",
478 PyString_FromString(SAMBA_VERSION_STRING));
479
480 if (PyType_Ready(&ads_ADSType) < 0)
481 return;
482 PyModule_AddObject(m, "ADS_STRUCT", (PyObject *)&ads_ADSType);
483
484 if (pytalloc_BaseObject_PyType_Ready(&GPOType) < 0)
485 return;
486
487 Py_INCREF((PyObject *)(void *)&GPOType);
488 PyModule_AddObject(m, "GROUP_POLICY_OBJECT",
489 (PyObject *)&GPOType);
490
491 }
Samba GIT mirror