Source code for insights.parsers.pam

Pluggable Authentication Module configuration

This module provides parsing for PAM configuration files.
``PamConf`` is a parser for ``/etc/pam.conf`` files. Sample input is provided
in the examples.

PamConf - file ``/etc/pam.conf``

Sample file data::

    vsftpd      auth        required
    vsftpd      auth        requisite nullok
    vsftpd      auth        sufficient
    vsftpd      account     optional
    other       password    include retry=3 logging=verbose
    other       password    required shadow nullok use_authtok
    other       session     required

    >>> type(pam_conf)
    <class 'insights.parsers.pam.PamConf'>
    >>> len(pam_conf)
    >>> pam_conf[0].service
    >>> pam_conf[0].interface
    >>> pam_conf[0].control_flags
    [ControlFlag(flag='required', value=None)]
    >>> pam_conf[0].module_name
    >>> pam_conf[0].module_args is None
    >>> pam_conf.file_path

PamDConf - used for specific PAM configuration files

``PamDConf`` is a base class for the creation of parsers for ``/etc/pam.d``
service specific configuration files.

Sample file from ``/etc/pam.d/sshd``::

    auth       required
    auth       substack     password-auth
    auth       include      postlogin
    # Used with polkit to reauthorize users in remote sessions
    -auth      optional prepare
    account    required
    account    include      password-auth
    password   include      password-auth
    # close should be the first session rule
    session    required close
    session    required
    # open should only be followed by sessions to be executed in the user context
    session    required open env_params
    session    required
    session    optional force revoke
    session    include      password-auth
    session    include      postlogin
    # Used with polkit to reauthorize users in remote sessions
    -session   optional prepare


    >>> type(pamd_conf)
    <class 'insights.parsers.pam.PamDConf'>
    >>> len(pamd_conf)
    >>> pamd_conf[0]._errors == [] # No errors in parsing
    >>> pamd_conf[0].service
    >>> pamd_conf[0].interface
    >>> pamd_conf[0].control_flags
    [ControlFlag(flag='required', value=None)]
    >>> pamd_conf[0].module_name
    >>> pamd_conf[0].module_args is None
    >>> pamd_conf.file_path
    >>> pamd_conf[3].module_name
    >>> pamd_conf[3].ignored_if_module_not_found

Normal use of the ``PamDConf`` class is to subclass it for a parser.  In

    pam_sshd = simple_file("etc/pam.d/sshd")

In the parser module (e.g. ``insights/parsers/``)::

    from insights import parser
    from insights.parsers.pam import PamDConf
    from insights.specs import Specs

    class PamSSHD(PamDConf):


from collections import namedtuple
from .. import Parser, get_active_lines, parser
from ..parsers import unsplit_lines, keyword_search, optlist_to_dict

import re
from insights.specs import Specs

[docs] class PamConfEntry(object): """Contains information from one PAM configuration line. Parses a single line of either a ``/etc/pam.conf`` file or a service specific ``/etc/pam.d`` conf file. The difference is that for ``/etc/pam.conf``, the service name is the first column of the input line. If a service specific conf file then the service name is not present in the line and must be provided as the ``service`` parameter as well as setting the ``pamd_conf`` to True. Parameters: line (str): One line of the pam conf info. pamd_config (boolean): If this is set to False then ``line`` will be parsed as a line from the ``etc/pam.conf`` file, if ``True`` then the line will be parsed as a line from a service specific ``etc/pam.d/`` conf file. Default is ``True``. service (str): If ``pamd_conf`` is ``True`` then the name of the service file must be provided since it is not present in `line`. Attributes: service (str): The service name (taken from the line or from the file name if not parsing ``pam.conf``) interface (str): The *type* clause - should be one of ``'account'``, ``'auth'``, ``'password'`` or ``'session'. If the line was invalid this is set to ``None``. ignored_if_module_not_found (bool): If the *type* clause is preceded by ``'-'``, then this is set to True and it indicates that PAM would skip this line rather than reporting an error if the given module is not found. control_flags (list): A list of ControlFlag named tuples. If the control flag was one of ``'required'``, ``'requisite'``, ``'sufficient'``, ``'optional'``, ``'include'``, or ``'substack'``, then this is the only flag in the list and its value is set to ``True``. If the control flag started with ``[``, then the list inside the square brackets is interpreted as a list of key=value tuples. _control_raw (str): the raw control flag string before parsing, for reference. module_name (str): the PAM module name (including the '.so') module_args (str): the PAM module arguments, if any. This is not parsed. _full_line (str): The original line in the PAM configuration. _errors (list): A list of parsing errors detected in this line. Examples: >>> pam_conf_line = 'vsftpd auth requisite nullok' >>> entry = PamConfEntry(pam_conf_line) >>> entry.service 'vsftpd' >>> entry.control_flags[0].flag 'requisite' >>> entry.module_args 'nullok' >>> pamd_conf_line = ''' ... auth [success=2 default=ok] auth=perm_denied cred=success ... '''.strip() >>> entry = PamConfEntry(pamd_conf_line, pamd_conf=True, service='vsftpd') >>> entry.service 'vsftpd' >>> entry.control_flags [ControlFlag(flag='success', value='2'), ControlFlag(flag='default', value='ok')] >>> entry.module_args 'auth=perm_denied cred=success' Raises: ValueError: If `pamd_conf` is True and `service` name is not provided, or if the line doesn't contain any module information. .. describe:: ControlFlag A named tuple with the 'flag' and 'value' properties, used to store information about the control flags in a PAM configuration line. """ ControlFlag = namedtuple('ControlFlag', 'flag, value') type_re = r'(?P<type>-?(?:account|auth|password|session))' control_re = r'(?P<control>required|requisite|sufficient|optional|' +\ r'include|substack|\[\w+=\w+(?:\s+\w+=\w+)*\])' mod_path_re = r'(?P<module>[\w.-]+)' mod_args_re = r'(?P<mod_args>\S.*)' line_re = r'\s+'.join([type_re, control_re, mod_path_re]) + \ r'(?:\s+' + mod_args_re + r')?' line_rex = re.compile(line_re) def __init__(self, line, pamd_conf=False, service=None): # If not pam.d file then service is first column in # line for pam.conf file. Otherwise service must be parameter. # print "PamConfEntry(line='{l}', pamd_conf={p}, service={s})".format(l=line, p=pamd_conf, s=service) self._full_line = line self._errors = [] self.service = service self.interface = None self.ignored_if_module_not_found = None self._control_raw = '' self.control_flags = [] self.module_name = None self.module_args = None if not pamd_conf: # Because this is called using get_active_lines() and # line_unsplit(), we cannot get a line that does not at least have # one token on it. self.service, line = line.split(None, 1) elif service is None: # The only valid situation to raise an error - the implementation # has called us with pamd_conf = true so we expect a service to # be given as a parameter. raise ValueError('Service name must be provided for pam.d conf file') match = if match: # Type can have a '-' in front, if so line is ignored if module # cannot be found. self._type_raw ='type') self.ignored_if_module_not_found = self._type_raw[0] == '-' self.interface = self._type_raw[1:] if self.ignored_if_module_not_found else self._type_raw # Parse control token, either regular word or [key=val...] self._control_raw ='control') if self._control_raw.startswith('['): self.control_flags = [] # Regex assures that it ends with ] for group in self._control_raw[1:-1].split(None): # We could do a match: val is constrained to a list and # action is 'ignore', 'bad', 'die', 'ok', done', 'reset' # or N where N is an unsigned integer. But keep it simple # for now. # Regex makes sure that each group contains an '=' though. val, action = group.split('=', 1) self.control_flags.append(self.ControlFlag(val, action)) else: self.control_flags = [self.ControlFlag(self._control_raw, None)] self.module_name ='module') self.module_args ='mod_args') if 'mod_args' in match.groupdict() else None self.module_args_dict = ( optlist_to_dict(self.module_args, opt_sep=' ') if self.module_args is not None else {} ) else: # Line not valid - report error self._errors.append("Cannot parse line '{l}' as a valid pam.d entry".format(l=self._full_line)) def __repr__(self): return "<PamConfEntry for {svc}: {typ} {ctl} {name}{args}>".format( svc=self.service, typ=self._type_raw, ctl=self._control_raw, name=self.module_name, args=( ' ' + self.module_args if self.module_args else '' ) )
[docs] class PamDConf(Parser): """Base class for parsing files in ``/etc/pam.d`` Derive from this class for parsers of files in the ``/etc/pam.d`` directory. Parses each line of the conf file into a list of PamConfEntry. Configuration file format is:: module_interface control_flag module_name module_arguments Sample input:: >>> pam_sshd = ''' ... auth required ... auth requisite nullok ... auth sufficient ... auth [success=2 default=ok] auth=perm_denied cred=success ... account optional ... password include retry=3 logging=verbose ... password required shadow nullok use_authtok ... ''' >>> from insights.tests import context_wrap >>> class YourPamDConf(PamDConf): # A trivial example ... pass >>> conf = YourPamDConf(context_wrap(pam_sshd, path='/etc/pam.d/sshd')) The `service` property of each PamConfEntry is set to the complete path name of the PAM config file. Attributes: data (list): List containing a PamConfEntry object for each line of the conf file in the same order as lines appear in the file. Examples: >>> conf[0].module_name # Can be used like a list of objects '' >>> account_rows = list('account')) >>> len(account_rows) 1 >>> account_rows[0].interface 'account' >>> account_rows[0].module_name '' >>> account_rows[0].control_flags [ControlFlag(flag='optional', value=None)] """
[docs] def parse_content(self, content): = [] # Need unsplit_lines for handling \ line continuations for line in get_active_lines(unsplit_lines(content)):, pamd_conf=True, service=self.file_name))
def __iter__(self): """(iterable): Iterate through the list of rules in the file""" for entry in yield entry def __getitem__(self, ndx): """(PamConfEntry): Return the entry data for the given line number""" return[ndx] def __len__(self): """(int): Return the number of entries read from the file""" return len(
[docs] def search(self, **kwargs): """ Search the pam.d configuration file by keyword. This is provided by the :func:`insights.parsers.keyword_search` function - see its documentation for more information. Searching on the list of PAM configuration entries is exactly like they were dictionaries instead of objects with properties. In addition, the 'control_flags' property becomes a dictionary of keywords and values, so that 'control_flags__contains' allows searching for a particular control flag. Returns: (list): A list of PamConfEntry objects that match the given search criteria. """ # Because keyword_search takes dicts, and we have objects with complex # properties, we convert them to a list of dicts. # First, store the things we're going to convert. prop_keys = ('service', 'interface', 'module_name', 'module_args') search = [] # Can't find a neat way to do this as a comprehension, so it's back # to loops. for obj in row = {'entry_obj': obj} for key in prop_keys: row[key] = getattr(obj, key) # For hysterical reasons, module_args can contain None if not # defined, but that's non-iterable: replace with '' if row['module_args'] is None: row['module_args'] = '' # Convert control_flags down to key/value dictionary flags = {} for cf in obj.control_flags: flags[cf.flag] = cf.value row['control_flags'] = flags search.append(row) # Now get the result, and just return the entry objects found = [] for r in keyword_search(search, **kwargs): found.append(r['entry_obj']) return found
[docs] @parser(Specs.pam_conf) class PamConf(PamDConf): """Base class for parsing pam config file ``/etc/pam.conf``. Based on the PamDConf parser class, but the service must be given as the first element of the line, rather than assumed from the file name. """
[docs] def parse_content(self, content): = [] for line in get_active_lines(content):