auth/credentials/pycredentials.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
   4
   5    This program is free software; you can redistribute it and/or modify
   6    it under the terms of the GNU General Public License as published by
   7    the Free Software Foundation; either version 3 of the License, or
   8    (at your option) any later version.
   9
  10    This program is distributed in the hope that it will be useful,
  11    but WITHOUT ANY WARRANTY; without even the implied warranty of
  12    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13    GNU General Public License for more details.
  14
  15    You should have received a copy of the GNU General Public License
  16    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  17 */
  18
  19 #include <Python.h>
  20 #include "python/py3compat.h"
  21 #include "includes.h"
  22 #include "pycredentials.h"
  23 #include "param/param.h"
  24 #include "lib/cmdline/credentials.h"
  25 #include "auth/credentials/credentials_internal.h"
  26 #include "librpc/gen_ndr/samr.h" /* for struct samr_Password */
  27 #include "librpc/gen_ndr/netlogon.h"
  28 #include "libcli/util/pyerrors.h"
  29 #include "libcli/auth/libcli_auth.h"
  30 #include "param/pyparam.h"
  31 #include <tevent.h>
  32 #include "libcli/auth/libcli_auth.h"
  33 #include "auth/credentials/credentials_internal.h"
  34 #include "system/kerberos.h"
  35 #include "auth/kerberos/kerberos.h"
  36
  37 void initcredentials(void);
  38
  39 static PyObject *PyString_FromStringOrNULL(const char *str)
  40 {
  41         if (str == NULL)
  42                 Py_RETURN_NONE;
  43         return PyStr_FromString(str);
  44 }
  45
  46 static PyObject *py_creds_new(PyTypeObject *type, PyObject *args, PyObject *kwargs)
  47 {
  48         return pytalloc_steal(type, cli_credentials_init(NULL));
  49 }
  50
  51 static PyObject *py_creds_get_username(PyObject *self, PyObject *unused)
  52 {
  53         return PyString_FromStringOrNULL(cli_credentials_get_username(PyCredentials_AsCliCredentials(self)));
  54 }
  55
  56 static PyObject *py_creds_set_username(PyObject *self, PyObject *args)
  57 {
  58         char *newval;
  59         enum credentials_obtained obt = CRED_SPECIFIED;
  60         int _obt = obt;
  61
  62         if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
  63                 return NULL;
  64         }
  65         obt = _obt;
  66
  67         return PyBool_FromLong(cli_credentials_set_username(PyCredentials_AsCliCredentials(self), newval, obt));
  68 }
  69
  70 static PyObject *py_creds_get_ntlm_username_domain(PyObject *self, PyObject *unused)
  71 {
  72         TALLOC_CTX *frame = talloc_stackframe();
  73         const char *user = NULL;
  74         const char *domain = NULL;
  75         PyObject *ret = NULL;
  76         cli_credentials_get_ntlm_username_domain(PyCredentials_AsCliCredentials(self),
  77                                                  frame, &user, &domain);
  78         ret = Py_BuildValue("(OO)",
  79                             PyString_FromStringOrNULL(user),
  80                             PyString_FromStringOrNULL(domain));
  81         TALLOC_FREE(frame);
  82         return ret;
  83 }
  84
  85 static PyObject *py_creds_get_ntlm_response(PyObject *self, PyObject *args, PyObject *kwargs)
  86 {
  87         TALLOC_CTX *frame = talloc_stackframe();
  88         PyObject *ret = NULL;
  89         int flags;
  90         struct timeval tv_now;
  91         NTTIME server_timestamp;
  92         DATA_BLOB challenge = data_blob_null;
  93         DATA_BLOB target_info = data_blob_null;
  94         NTSTATUS status;
  95         DATA_BLOB lm_response = data_blob_null;
  96         DATA_BLOB nt_response = data_blob_null;
  97         DATA_BLOB lm_session_key = data_blob_null;
  98         DATA_BLOB nt_session_key = data_blob_null;
  99         const char *kwnames[] = { "flags", "challenge",
 100                                   "target_info",
 101                                   NULL };
 102
 103         tv_now = timeval_current();
 104         server_timestamp = timeval_to_nttime(&tv_now);
 105
 106         if (!PyArg_ParseTupleAndKeywords(args, kwargs, "is#|s#",
 107                                          discard_const_p(char *, kwnames),
 108                                          &flags,
 109                                          &challenge.data,
 110                                          &challenge.length,
 111                                          &target_info.data,
 112                                          &target_info.length)) {
 113                 return NULL;
 114         }
 115
 116         status = cli_credentials_get_ntlm_response(PyCredentials_AsCliCredentials(self),
 117                                                    frame, &flags,
 118                                                    challenge,
 119                                                    &server_timestamp,
 120                                                    target_info,
 121                                                    &lm_response, &nt_response,
 122                                                    &lm_session_key, &nt_session_key);
 123
 124         if (!NT_STATUS_IS_OK(status)) {
 125                 PyErr_SetNTSTATUS(status);
 126                 TALLOC_FREE(frame);
 127                 return NULL;
 128         }
 129
 130         ret = Py_BuildValue("{sis" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN
 131                                     "s" PYARG_BYTES_LEN "s" PYARG_BYTES_LEN "}",
 132                             "flags", flags,
 133                             "lm_response",
 134                             (const char *)lm_response.data, lm_response.length,
 135                             "nt_response",
 136                             (const char *)nt_response.data, nt_response.length,
 137                             "lm_session_key",
 138                             (const char *)lm_session_key.data, lm_session_key.length,
 139                             "nt_session_key",
 140                             (const char *)nt_session_key.data, nt_session_key.length);
 141         TALLOC_FREE(frame);
 142         return ret;
 143 }
 144
 145 static PyObject *py_creds_get_principal(PyObject *self, PyObject *unused)
 146 {
 147         TALLOC_CTX *frame = talloc_stackframe();
 148         PyObject *ret = PyString_FromStringOrNULL(cli_credentials_get_principal(PyCredentials_AsCliCredentials(self), frame));
 149         TALLOC_FREE(frame);
 150         return ret;
 151 }
 152
 153 static PyObject *py_creds_set_principal(PyObject *self, PyObject *args)
 154 {
 155         char *newval;
 156         enum credentials_obtained obt = CRED_SPECIFIED;
 157         int _obt = obt;
 158
 159         if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
 160                 return NULL;
 161         }
 162         obt = _obt;
 163
 164         return PyBool_FromLong(cli_credentials_set_principal(PyCredentials_AsCliCredentials(self), newval, obt));
 165 }
 166
 167 static PyObject *py_creds_get_password(PyObject *self, PyObject *unused)
 168 {
 169         return PyString_FromStringOrNULL(cli_credentials_get_password(PyCredentials_AsCliCredentials(self)));
 170 }
 171
 172 static PyObject *py_creds_set_password(PyObject *self, PyObject *args)
 173 {
 174         char *newval;
 175         enum credentials_obtained obt = CRED_SPECIFIED;
 176         int _obt = obt;
 177
 178         if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
 179                 return NULL;
 180         }
 181         obt = _obt;
 182
 183         return PyBool_FromLong(cli_credentials_set_password(PyCredentials_AsCliCredentials(self), newval, obt));
 184 }
 185
 186 static PyObject *py_creds_set_utf16_password(PyObject *self, PyObject *args)
 187 {
 188         enum credentials_obtained obt = CRED_SPECIFIED;
 189         int _obt = obt;
 190         PyObject *newval = NULL;
 191         DATA_BLOB blob = data_blob_null;
 192         Py_ssize_t size =  0;
 193         int result;
 194         bool ok;
 195
 196         if (!PyArg_ParseTuple(args, "O|i", &newval, &_obt)) {
 197                 return NULL;
 198         }
 199         obt = _obt;
 200
 201         result = PyBytes_AsStringAndSize(newval, (char **)&blob.data, &size);
 202         if (result != 0) {
 203                 PyErr_SetString(PyExc_RuntimeError, "Failed to convert passed value to Bytes");
 204                 return NULL;
 205         }
 206         blob.length = size;
 207
 208         ok = cli_credentials_set_utf16_password(PyCredentials_AsCliCredentials(self),
 209                                                 &blob, obt);
 210
 211         return PyBool_FromLong(ok);
 212 }
 213
 214 static PyObject *py_creds_get_old_password(PyObject *self, PyObject *unused)
 215 {
 216         return PyString_FromStringOrNULL(cli_credentials_get_old_password(PyCredentials_AsCliCredentials(self)));
 217 }
 218
 219 static PyObject *py_creds_set_old_password(PyObject *self, PyObject *args)
 220 {
 221         char *oldval;
 222         enum credentials_obtained obt = CRED_SPECIFIED;
 223         int _obt = obt;
 224
 225         if (!PyArg_ParseTuple(args, "s|i", &oldval, &_obt)) {
 226                 return NULL;
 227         }
 228         obt = _obt;
 229
 230         return PyBool_FromLong(cli_credentials_set_old_password(PyCredentials_AsCliCredentials(self), oldval, obt));
 231 }
 232
 233 static PyObject *py_creds_set_old_utf16_password(PyObject *self, PyObject *args)
 234 {
 235         PyObject *oldval = NULL;
 236         DATA_BLOB blob = data_blob_null;
 237         Py_ssize_t size =  0;
 238         int result;
 239         bool ok;
 240
 241         if (!PyArg_ParseTuple(args, "O", &oldval)) {
 242                 return NULL;
 243         }
 244
 245         result = PyBytes_AsStringAndSize(oldval, (char **)&blob.data, &size);
 246         if (result != 0) {
 247                 PyErr_SetString(PyExc_RuntimeError, "Failed to convert passed value to Bytes");
 248                 return NULL;
 249         }
 250         blob.length = size;
 251
 252         ok = cli_credentials_set_old_utf16_password(PyCredentials_AsCliCredentials(self),
 253                                                     &blob);
 254
 255         return PyBool_FromLong(ok);
 256 }
 257
 258 static PyObject *py_creds_get_domain(PyObject *self, PyObject *unused)
 259 {
 260         return PyString_FromStringOrNULL(cli_credentials_get_domain(PyCredentials_AsCliCredentials(self)));
 261 }
 262
 263 static PyObject *py_creds_set_domain(PyObject *self, PyObject *args)
 264 {
 265         char *newval;
 266         enum credentials_obtained obt = CRED_SPECIFIED;
 267         int _obt = obt;
 268
 269         if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
 270                 return NULL;
 271         }
 272         obt = _obt;
 273
 274         return PyBool_FromLong(cli_credentials_set_domain(PyCredentials_AsCliCredentials(self), newval, obt));
 275 }
 276
 277 static PyObject *py_creds_get_realm(PyObject *self, PyObject *unused)
 278 {
 279         return PyString_FromStringOrNULL(cli_credentials_get_realm(PyCredentials_AsCliCredentials(self)));
 280 }
 281
 282 static PyObject *py_creds_set_realm(PyObject *self, PyObject *args)
 283 {
 284         char *newval;
 285         enum credentials_obtained obt = CRED_SPECIFIED;
 286         int _obt = obt;
 287
 288         if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
 289                 return NULL;
 290         }
 291         obt = _obt;
 292
 293         return PyBool_FromLong(cli_credentials_set_realm(PyCredentials_AsCliCredentials(self), newval, obt));
 294 }
 295
 296 static PyObject *py_creds_get_bind_dn(PyObject *self, PyObject *unused)
 297 {
 298         return PyString_FromStringOrNULL(cli_credentials_get_bind_dn(PyCredentials_AsCliCredentials(self)));
 299 }
 300
 301 static PyObject *py_creds_set_bind_dn(PyObject *self, PyObject *args)
 302 {
 303         char *newval;
 304         if (!PyArg_ParseTuple(args, "s", &newval))
 305                 return NULL;
 306
 307         return PyBool_FromLong(cli_credentials_set_bind_dn(PyCredentials_AsCliCredentials(self), newval));
 308 }
 309
 310 static PyObject *py_creds_get_workstation(PyObject *self, PyObject *unused)
 311 {
 312         return PyString_FromStringOrNULL(cli_credentials_get_workstation(PyCredentials_AsCliCredentials(self)));
 313 }
 314
 315 static PyObject *py_creds_set_workstation(PyObject *self, PyObject *args)
 316 {
 317         char *newval;
 318         enum credentials_obtained obt = CRED_SPECIFIED;
 319         int _obt = obt;
 320
 321         if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
 322                 return NULL;
 323         }
 324         obt = _obt;
 325
 326         return PyBool_FromLong(cli_credentials_set_workstation(PyCredentials_AsCliCredentials(self), newval, obt));
 327 }
 328
 329 static PyObject *py_creds_is_anonymous(PyObject *self, PyObject *unused)
 330 {
 331         return PyBool_FromLong(cli_credentials_is_anonymous(PyCredentials_AsCliCredentials(self)));
 332 }
 333
 334 static PyObject *py_creds_set_anonymous(PyObject *self, PyObject *unused)
 335 {
 336         cli_credentials_set_anonymous(PyCredentials_AsCliCredentials(self));
 337         Py_RETURN_NONE;
 338 }
 339
 340 static PyObject *py_creds_authentication_requested(PyObject *self, PyObject *unused)
 341 {
 342         return PyBool_FromLong(cli_credentials_authentication_requested(PyCredentials_AsCliCredentials(self)));
 343 }
 344
 345 static PyObject *py_creds_wrong_password(PyObject *self, PyObject *unused)
 346 {
 347         return PyBool_FromLong(cli_credentials_wrong_password(PyCredentials_AsCliCredentials(self)));
 348 }
 349
 350 static PyObject *py_creds_set_cmdline_callbacks(PyObject *self, PyObject *unused)
 351 {
 352         return PyBool_FromLong(cli_credentials_set_cmdline_callbacks(PyCredentials_AsCliCredentials(self)));
 353 }
 354
 355 static PyObject *py_creds_parse_string(PyObject *self, PyObject *args)
 356 {
 357         char *newval;
 358         enum credentials_obtained obt = CRED_SPECIFIED;
 359         int _obt = obt;
 360
 361         if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
 362                 return NULL;
 363         }
 364         obt = _obt;
 365
 366         cli_credentials_parse_string(PyCredentials_AsCliCredentials(self), newval, obt);
 367         Py_RETURN_NONE;
 368 }
 369
 370 static PyObject *py_creds_parse_file(PyObject *self, PyObject *args)
 371 {
 372         char *newval;
 373         enum credentials_obtained obt = CRED_SPECIFIED;
 374         int _obt = obt;
 375
 376         if (!PyArg_ParseTuple(args, "s|i", &newval, &_obt)) {
 377                 return NULL;
 378         }
 379         obt = _obt;
 380
 381         cli_credentials_parse_file(PyCredentials_AsCliCredentials(self), newval, obt);
 382         Py_RETURN_NONE;
 383 }
 384
 385 static PyObject *py_cli_credentials_set_password_will_be_nt_hash(PyObject *self, PyObject *args)
 386 {
 387         struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
 388         PyObject *py_val = NULL;
 389         bool val = false;
 390
 391         if (!PyArg_ParseTuple(args, "O!", &PyBool_Type, &py_val)) {
 392                 return NULL;
 393         }
 394         val = PyObject_IsTrue(py_val);
 395
 396         cli_credentials_set_password_will_be_nt_hash(creds, val);
 397         Py_RETURN_NONE;
 398 }
 399
 400 static PyObject *py_creds_get_nt_hash(PyObject *self, PyObject *unused)
 401 {
 402         PyObject *ret;
 403         struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
 404         struct samr_Password *ntpw = cli_credentials_get_nt_hash(creds, creds);
 405
 406         ret = PyBytes_FromStringAndSize(discard_const_p(char, ntpw->hash), 16);
 407         TALLOC_FREE(ntpw);
 408         return ret;
 409 }
 410
 411 static PyObject *py_creds_get_kerberos_state(PyObject *self, PyObject *unused)
 412 {
 413         int state = cli_credentials_get_kerberos_state(PyCredentials_AsCliCredentials(self));
 414         return PyInt_FromLong(state);
 415 }
 416
 417 static PyObject *py_creds_set_kerberos_state(PyObject *self, PyObject *args)
 418 {
 419         int state;
 420         if (!PyArg_ParseTuple(args, "i", &state))
 421                 return NULL;
 422
 423         cli_credentials_set_kerberos_state(PyCredentials_AsCliCredentials(self), state);
 424         Py_RETURN_NONE;
 425 }
 426
 427 static PyObject *py_creds_set_krb_forwardable(PyObject *self, PyObject *args)
 428 {
 429         int state;
 430         if (!PyArg_ParseTuple(args, "i", &state))
 431                 return NULL;
 432
 433         cli_credentials_set_krb_forwardable(PyCredentials_AsCliCredentials(self), state);
 434         Py_RETURN_NONE;
 435 }
 436
 437
 438 static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused)
 439 {
 440         return PyString_FromStringOrNULL(cli_credentials_get_forced_sasl_mech(PyCredentials_AsCliCredentials(self)));
 441 }
 442
 443 static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
 444 {
 445         char *newval;
 446         enum credentials_obtained obt = CRED_SPECIFIED;
 447         int _obt = obt;
 448
 449         if (!PyArg_ParseTuple(args, "s", &newval)) {
 450                 return NULL;
 451         }
 452         obt = _obt;
 453
 454         cli_credentials_set_forced_sasl_mech(PyCredentials_AsCliCredentials(self), newval);
 455         Py_RETURN_NONE;
 456 }
 457
 458 static PyObject *py_creds_guess(PyObject *self, PyObject *args)
 459 {
 460         PyObject *py_lp_ctx = Py_None;
 461         struct loadparm_context *lp_ctx;
 462         TALLOC_CTX *mem_ctx;
 463         struct cli_credentials *creds;
 464
 465         creds = PyCredentials_AsCliCredentials(self);
 466
 467         if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx))
 468                 return NULL;
 469
 470         mem_ctx = talloc_new(NULL);
 471         if (mem_ctx == NULL) {
 472                 PyErr_NoMemory();
 473                 return NULL;
 474         }
 475
 476         lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
 477         if (lp_ctx == NULL) {
 478                 talloc_free(mem_ctx);
 479                 return NULL;
 480         }
 481
 482         cli_credentials_guess(creds, lp_ctx);
 483
 484         talloc_free(mem_ctx);
 485
 486         Py_RETURN_NONE;
 487 }
 488
 489 static PyObject *py_creds_set_machine_account(PyObject *self, PyObject *args)
 490 {
 491         PyObject *py_lp_ctx = Py_None;
 492         struct loadparm_context *lp_ctx;
 493         NTSTATUS status;
 494         struct cli_credentials *creds;
 495         TALLOC_CTX *mem_ctx;
 496
 497         creds = PyCredentials_AsCliCredentials(self);
 498
 499         if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx))
 500                 return NULL;
 501
 502         mem_ctx = talloc_new(NULL);
 503         if (mem_ctx == NULL) {
 504                 PyErr_NoMemory();
 505                 return NULL;
 506         }
 507
 508         lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
 509         if (lp_ctx == NULL) {
 510                 talloc_free(mem_ctx);
 511                 return NULL;
 512         }
 513
 514         status = cli_credentials_set_machine_account(creds, lp_ctx);
 515         talloc_free(mem_ctx);
 516
 517         PyErr_NTSTATUS_IS_ERR_RAISE(status);
 518
 519         Py_RETURN_NONE;
 520 }
 521
 522 static PyObject *PyCredentialCacheContainer_from_ccache_container(struct ccache_container *ccc)
 523 {
 524         return pytalloc_reference(&PyCredentialCacheContainer, ccc);
 525 }
 526
 527
 528 static PyObject *py_creds_get_named_ccache(PyObject *self, PyObject *args)
 529 {
 530         PyObject *py_lp_ctx = Py_None;
 531         char *ccache_name = NULL;
 532         struct loadparm_context *lp_ctx;
 533         struct ccache_container *ccc;
 534         struct tevent_context *event_ctx;
 535         int ret;
 536         const char *error_string;
 537         struct cli_credentials *creds;
 538         TALLOC_CTX *mem_ctx;
 539
 540         creds = PyCredentials_AsCliCredentials(self);
 541
 542         if (!PyArg_ParseTuple(args, "|Os", &py_lp_ctx, &ccache_name))
 543                 return NULL;
 544
 545         mem_ctx = talloc_new(NULL);
 546         if (mem_ctx == NULL) {
 547                 PyErr_NoMemory();
 548                 return NULL;
 549         }
 550
 551         lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
 552         if (lp_ctx == NULL) {
 553                 talloc_free(mem_ctx);
 554                 return NULL;
 555         }
 556
 557         event_ctx = samba_tevent_context_init(mem_ctx);
 558
 559         ret = cli_credentials_get_named_ccache(creds, event_ctx, lp_ctx,
 560                                                ccache_name, &ccc, &error_string);
 561         talloc_unlink(mem_ctx, lp_ctx);
 562         if (ret == 0) {
 563                 talloc_steal(ccc, event_ctx);
 564                 talloc_free(mem_ctx);
 565                 return PyCredentialCacheContainer_from_ccache_container(ccc);
 566         }
 567
 568         PyErr_SetString(PyExc_RuntimeError, error_string?error_string:"NULL");
 569
 570         talloc_free(mem_ctx);
 571         return NULL;
 572 }
 573
 574 static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
 575 {
 576         struct loadparm_context *lp_ctx = NULL;
 577         enum credentials_obtained obt = CRED_SPECIFIED;
 578         const char *error_string = NULL;
 579         TALLOC_CTX *mem_ctx = NULL;
 580         char *newval = NULL;
 581         PyObject *py_lp_ctx = Py_None;
 582         int _obt = obt;
 583         int ret;
 584
 585         if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx))
 586                 return NULL;
 587
 588         mem_ctx = talloc_new(NULL);
 589         if (mem_ctx == NULL) {
 590                 PyErr_NoMemory();
 591                 return NULL;
 592         }
 593
 594         lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
 595         if (lp_ctx == NULL) {
 596                 talloc_free(mem_ctx);
 597                 return NULL;
 598         }
 599
 600         ret = cli_credentials_set_ccache(PyCredentials_AsCliCredentials(self),
 601                                          lp_ctx,
 602                                          newval, CRED_SPECIFIED,
 603                                          &error_string);
 604
 605         if (ret != 0) {
 606                 PyErr_SetString(PyExc_RuntimeError,
 607                                 error_string != NULL ? error_string : "NULL");
 608                 talloc_free(mem_ctx);
 609                 return NULL;
 610         }
 611
 612         talloc_free(mem_ctx);
 613         Py_RETURN_NONE;
 614 }
 615
 616 static PyObject *py_creds_set_gensec_features(PyObject *self, PyObject *args)
 617 {
 618         unsigned int gensec_features;
 619
 620         if (!PyArg_ParseTuple(args, "I", &gensec_features))
 621                 return NULL;
 622
 623         cli_credentials_set_gensec_features(PyCredentials_AsCliCredentials(self), gensec_features);
 624
 625         Py_RETURN_NONE;
 626 }
 627
 628 static PyObject *py_creds_get_gensec_features(PyObject *self, PyObject *args)
 629 {
 630         unsigned int gensec_features;
 631
 632         gensec_features = cli_credentials_get_gensec_features(PyCredentials_AsCliCredentials(self));
 633         return PyInt_FromLong(gensec_features);
 634 }
 635
 636 static PyObject *py_creds_new_client_authenticator(PyObject *self,
 637                                                    PyObject *args)
 638 {
 639         struct netr_Authenticator auth;
 640         struct cli_credentials *creds = NULL;
 641         struct netlogon_creds_CredentialState *nc = NULL;
 642         PyObject *ret = NULL;
 643
 644         creds = PyCredentials_AsCliCredentials(self);
 645         if (creds == NULL) {
 646                 PyErr_SetString(PyExc_RuntimeError,
 647                                 "Failed to get credentials from python");
 648                 return NULL;
 649         }
 650
 651         nc = creds->netlogon_creds;
 652         if (nc == NULL) {
 653                 PyErr_SetString(PyExc_ValueError,
 654                                 "No netlogon credentials cannot make "
 655                                 "client authenticator");
 656                 return NULL;
 657         }
 658
 659         netlogon_creds_client_authenticator(
 660                 nc,
 661                 &auth);
 662         ret = Py_BuildValue("{ss#si}",
 663                             "credential",
 664                             (const char *) &auth.cred, sizeof(auth.cred),
 665                             "timestamp", auth.timestamp);
 666         return ret;
 667 }
 668
 669 static PyObject *py_creds_set_secure_channel_type(PyObject *self, PyObject *args)
 670 {
 671         unsigned int channel_type;
 672
 673         if (!PyArg_ParseTuple(args, "I", &channel_type))
 674                 return NULL;
 675
 676         cli_credentials_set_secure_channel_type(
 677                 PyCredentials_AsCliCredentials(self),
 678                 channel_type);
 679
 680         Py_RETURN_NONE;
 681 }
 682
 683 static PyObject *py_creds_get_secure_channel_type(PyObject *self, PyObject *args)
 684 {
 685         enum netr_SchannelType channel_type = SEC_CHAN_NULL;
 686
 687         channel_type = cli_credentials_get_secure_channel_type(
 688                 PyCredentials_AsCliCredentials(self));
 689
 690         return PyInt_FromLong(channel_type);
 691 }
 692
 693 static PyObject *py_creds_encrypt_netr_crypt_password(PyObject *self,
 694                                                       PyObject *args)
 695 {
 696         DATA_BLOB data = data_blob_null;
 697         struct cli_credentials    *creds  = NULL;
 698         struct netr_CryptPassword *pwd    = NULL;
 699         NTSTATUS status;
 700         PyObject *py_cp = Py_None;
 701
 702         creds = PyCredentials_AsCliCredentials(self);
 703
 704         if (!PyArg_ParseTuple(args, "|O", &py_cp)) {
 705                 return NULL;
 706         }
 707         pwd = pytalloc_get_type(py_cp, struct netr_CryptPassword);
 708         data.length = sizeof(struct netr_CryptPassword);
 709         data.data   = (uint8_t *)pwd;
 710         status = netlogon_creds_session_encrypt(creds->netlogon_creds, data);
 711
 712         PyErr_NTSTATUS_IS_ERR_RAISE(status);
 713
 714         Py_RETURN_NONE;
 715 }
 716
 717 static PyMethodDef py_creds_methods[] = {
 718         { "get_username", py_creds_get_username, METH_NOARGS,
 719                 "S.get_username() -> username\nObtain username." },
 720         { "set_username", py_creds_set_username, METH_VARARGS,
 721                 "S.set_username(name[, credentials.SPECIFIED]) -> None\n"
 722                 "Change username." },
 723         { "get_principal", py_creds_get_principal, METH_NOARGS,
 724                 "S.get_principal() -> user@realm\nObtain user principal." },
 725         { "set_principal", py_creds_set_principal, METH_VARARGS,
 726                 "S.set_principal(name[, credentials.SPECIFIED]) -> None\n"
 727                 "Change principal." },
 728         { "get_password", py_creds_get_password, METH_NOARGS,
 729                 "S.get_password() -> password\n"
 730                 "Obtain password." },
 731         { "get_ntlm_username_domain", py_creds_get_ntlm_username_domain, METH_NOARGS,
 732                 "S.get_ntlm_username_domain() -> (domain, username)\n"
 733                 "Obtain NTLM username and domain, split up either as (DOMAIN, user) or (\"\", \"user@realm\")." },
 734         { "get_ntlm_response", (PyCFunction)py_creds_get_ntlm_response, METH_VARARGS | METH_KEYWORDS,
 735                 "S.get_ntlm_response"
 736                 "(flags, challenge[, target_info]) -> "
 737                 "(flags, lm_response, nt_response, lm_session_key, nt_session_key)\n"
 738                 "Obtain LM or NTLM response." },
 739         { "set_password", py_creds_set_password, METH_VARARGS,
 740                 "S.set_password(password[, credentials.SPECIFIED]) -> None\n"
 741                 "Change password." },
 742         { "set_utf16_password", py_creds_set_utf16_password, METH_VARARGS,
 743                 "S.set_utf16_password(password[, credentials.SPECIFIED]) -> None\n"
 744                 "Change password." },
 745         { "get_old_password", py_creds_get_old_password, METH_NOARGS,
 746                 "S.get_old_password() -> password\n"
 747                 "Obtain old password." },
 748         { "set_old_password", py_creds_set_old_password, METH_VARARGS,
 749                 "S.set_old_password(password[, credentials.SPECIFIED]) -> None\n"
 750                 "Change old password." },
 751         { "set_old_utf16_password", py_creds_set_old_utf16_password, METH_VARARGS,
 752                 "S.set_old_utf16_password(password[, credentials.SPECIFIED]) -> None\n"
 753                 "Change old password." },
 754         { "get_domain", py_creds_get_domain, METH_NOARGS,
 755                 "S.get_domain() -> domain\n"
 756                 "Obtain domain name." },
 757         { "set_domain", py_creds_set_domain, METH_VARARGS,
 758                 "S.set_domain(domain[, credentials.SPECIFIED]) -> None\n"
 759                 "Change domain name." },
 760         { "get_realm", py_creds_get_realm, METH_NOARGS,
 761                 "S.get_realm() -> realm\n"
 762                 "Obtain realm name." },
 763         { "set_realm", py_creds_set_realm, METH_VARARGS,
 764                 "S.set_realm(realm[, credentials.SPECIFIED]) -> None\n"
 765                 "Change realm name." },
 766         { "get_bind_dn", py_creds_get_bind_dn, METH_NOARGS,
 767                 "S.get_bind_dn() -> bind dn\n"
 768                 "Obtain bind DN." },
 769         { "set_bind_dn", py_creds_set_bind_dn, METH_VARARGS,
 770                 "S.set_bind_dn(bind_dn) -> None\n"
 771                 "Change bind DN." },
 772         { "is_anonymous", py_creds_is_anonymous, METH_NOARGS,
 773                 NULL },
 774         { "set_anonymous", py_creds_set_anonymous, METH_NOARGS,
 775                 "S.set_anonymous() -> None\n"
 776                 "Use anonymous credentials." },
 777         { "get_workstation", py_creds_get_workstation, METH_NOARGS,
 778                 NULL },
 779         { "set_workstation", py_creds_set_workstation, METH_VARARGS,
 780                 NULL },
 781         { "authentication_requested", py_creds_authentication_requested, METH_NOARGS,
 782                 NULL },
 783         { "wrong_password", py_creds_wrong_password, METH_NOARGS,
 784                 "S.wrong_password() -> bool\n"
 785                 "Indicate the returned password was incorrect." },
 786         { "set_cmdline_callbacks", py_creds_set_cmdline_callbacks, METH_NOARGS,
 787                 "S.set_cmdline_callbacks() -> bool\n"
 788                 "Use command-line to obtain credentials not explicitly set." },
 789         { "parse_string", py_creds_parse_string, METH_VARARGS,
 790                 "S.parse_string(text[, credentials.SPECIFIED]) -> None\n"
 791                 "Parse credentials string." },
 792         { "parse_file", py_creds_parse_file, METH_VARARGS,
 793                 "S.parse_file(filename[, credentials.SPECIFIED]) -> None\n"
 794                 "Parse credentials file." },
 795         { "set_password_will_be_nt_hash",
 796                 py_cli_credentials_set_password_will_be_nt_hash, METH_VARARGS,
 797                 "S.set_password_will_be_nt_hash(bool) -> None\n"
 798                 "Alters the behaviour of S.set_password() "
 799                 "to expect the NTHASH as hexstring." },
 800         { "get_nt_hash", py_creds_get_nt_hash, METH_NOARGS,
 801                 NULL },
 802         { "get_kerberos_state", py_creds_get_kerberos_state, METH_NOARGS,
 803                 NULL },
 804         { "set_kerberos_state", py_creds_set_kerberos_state, METH_VARARGS,
 805                 NULL },
 806         { "set_krb_forwardable", py_creds_set_krb_forwardable, METH_VARARGS,
 807                 NULL },
 808         { "guess", py_creds_guess, METH_VARARGS, NULL },
 809         { "set_machine_account", py_creds_set_machine_account, METH_VARARGS, NULL },
 810         { "get_named_ccache", py_creds_get_named_ccache, METH_VARARGS, NULL },
 811         { "set_named_ccache", py_creds_set_named_ccache, METH_VARARGS,
 812                 "S.set_named_ccache(krb5_ccache_name, obtained, lp) -> None\n"
 813                 "Set credentials to KRB5 Credentials Cache (by name)." },
 814         { "set_gensec_features", py_creds_set_gensec_features, METH_VARARGS, NULL },
 815         { "get_gensec_features", py_creds_get_gensec_features, METH_NOARGS, NULL },
 816         { "get_forced_sasl_mech", py_creds_get_forced_sasl_mech, METH_NOARGS,
 817                 "S.get_forced_sasl_mech() -> SASL mechanism\nObtain forced SASL mechanism." },
 818         { "set_forced_sasl_mech", py_creds_set_forced_sasl_mech, METH_VARARGS,
 819                 "S.set_forced_sasl_mech(name) -> None\n"
 820                 "Set forced SASL mechanism." },
 821         { "new_client_authenticator",
 822                 py_creds_new_client_authenticator,
 823                 METH_NOARGS,
 824                 "S.new_client_authenticator() -> Authenticator\n"
 825                 "Get a new client NETLOGON_AUTHENTICATOR"},
 826         { "set_secure_channel_type", py_creds_set_secure_channel_type,
 827           METH_VARARGS, NULL },
 828         { "get_secure_channel_type", py_creds_get_secure_channel_type,
 829           METH_VARARGS },
 830         { "encrypt_netr_crypt_password",
 831                 py_creds_encrypt_netr_crypt_password,
 832                 METH_VARARGS,
 833                 "S.encrypt_netr_crypt_password(password) -> NTSTATUS\n"
 834                 "Encrypt the supplied password using the session key and\n"
 835                 "the negotiated encryption algorithm in place\n"
 836                 "i.e. it overwrites the original data"},
 837         { NULL }
 838 };
 839
 840 static struct PyModuleDef moduledef = {
 841     PyModuleDef_HEAD_INIT,
 842     .m_name = "credentials",
 843     .m_doc = "Credentials management.",
 844     .m_size = -1,
 845     .m_methods = py_creds_methods,
 846 };
 847
 848 PyTypeObject PyCredentials = {
 849         .tp_name = "credentials.Credentials",
 850         .tp_new = py_creds_new,
 851         .tp_flags = Py_TPFLAGS_DEFAULT,
 852         .tp_methods = py_creds_methods,
 853 };
 854
 855 static PyObject *py_ccache_name(PyObject *self, PyObject *unused)
 856 {
 857         struct ccache_container *ccc = NULL;
 858         char *name = NULL;
 859         PyObject *py_name = NULL;
 860         int ret;
 861
 862         ccc = pytalloc_get_type(self, struct ccache_container);
 863
 864         ret = krb5_cc_get_full_name(ccc->smb_krb5_context->krb5_context,
 865                                     ccc->ccache, &name);
 866         if (ret == 0) {
 867                 py_name = PyString_FromStringOrNULL(name);
 868                 SAFE_FREE(name);
 869         } else {
 870                 PyErr_SetString(PyExc_RuntimeError,
 871                                 "Failed to get ccache name");
 872                 return NULL;
 873         }
 874         return py_name;
 875 }
 876
 877 static PyMethodDef py_ccache_container_methods[] = {
 878         { "get_name", py_ccache_name, METH_NOARGS,
 879           "S.get_name() -> name\nObtain KRB5 credentials cache name." },
 880         { NULL }
 881 };
 882
 883 PyTypeObject PyCredentialCacheContainer = {
 884         .tp_name = "credentials.CredentialCacheContainer",
 885         .tp_flags = Py_TPFLAGS_DEFAULT,
 886         .tp_methods = py_ccache_container_methods,
 887 };
 888
 889 MODULE_INIT_FUNC(credentials)
 890 {
 891         PyObject *m;
 892         if (pytalloc_BaseObject_PyType_Ready(&PyCredentials) < 0)
 893                 return NULL;
 894
 895         if (pytalloc_BaseObject_PyType_Ready(&PyCredentialCacheContainer) < 0)
 896                 return NULL;
 897
 898         m = PyModule_Create(&moduledef);
 899         if (m == NULL)
 900                 return NULL;
 901
 902         PyModule_AddObject(m, "UNINITIALISED", PyInt_FromLong(CRED_UNINITIALISED));
 903         PyModule_AddObject(m, "CALLBACK", PyInt_FromLong(CRED_CALLBACK));
 904         PyModule_AddObject(m, "GUESS_ENV", PyInt_FromLong(CRED_GUESS_ENV));
 905         PyModule_AddObject(m, "GUESS_FILE", PyInt_FromLong(CRED_GUESS_FILE));
 906         PyModule_AddObject(m, "CALLBACK_RESULT", PyInt_FromLong(CRED_CALLBACK_RESULT));
 907         PyModule_AddObject(m, "SPECIFIED", PyInt_FromLong(CRED_SPECIFIED));
 908
 909         PyModule_AddObject(m, "AUTO_USE_KERBEROS", PyInt_FromLong(CRED_AUTO_USE_KERBEROS));
 910         PyModule_AddObject(m, "DONT_USE_KERBEROS", PyInt_FromLong(CRED_DONT_USE_KERBEROS));
 911         PyModule_AddObject(m, "MUST_USE_KERBEROS", PyInt_FromLong(CRED_MUST_USE_KERBEROS));
 912
 913         PyModule_AddObject(m, "AUTO_KRB_FORWARDABLE",  PyInt_FromLong(CRED_AUTO_KRB_FORWARDABLE));
 914         PyModule_AddObject(m, "NO_KRB_FORWARDABLE",    PyInt_FromLong(CRED_NO_KRB_FORWARDABLE));
 915         PyModule_AddObject(m, "FORCE_KRB_FORWARDABLE", PyInt_FromLong(CRED_FORCE_KRB_FORWARDABLE));
 916         PyModule_AddObject(m, "CLI_CRED_NTLM2", PyInt_FromLong(CLI_CRED_NTLM2));
 917         PyModule_AddObject(m, "CLI_CRED_NTLMv2_AUTH", PyInt_FromLong(CLI_CRED_NTLMv2_AUTH));
 918         PyModule_AddObject(m, "CLI_CRED_LANMAN_AUTH", PyInt_FromLong(CLI_CRED_LANMAN_AUTH));
 919         PyModule_AddObject(m, "CLI_CRED_NTLM_AUTH", PyInt_FromLong(CLI_CRED_NTLM_AUTH));
 920         PyModule_AddObject(m, "CLI_CRED_CLEAR_AUTH", PyInt_FromLong(CLI_CRED_CLEAR_AUTH));
 921
 922         Py_INCREF(&PyCredentials);
 923         PyModule_AddObject(m, "Credentials", (PyObject *)&PyCredentials);
 924         Py_INCREF(&PyCredentialCacheContainer);
 925         PyModule_AddObject(m, "CredentialCacheContainer", (PyObject *)&PyCredentialCacheContainer);
 926         return m;
 927 }