IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-23 07:33:27 -06:00
Code Issues Packages Projects Releases Wiki Activity
139f6b63b1
freeipa/ipalib/aci.py

291 lines
11 KiB
Python
Raw Normal View History

Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
# Authors:
# Rob Crittenden <rcritten@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
import shlex
import re
Use six.string_types instead of "basestring" Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-10 11:29:33 -05:00
import six
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
# The Python re module doesn't do nested parenthesis
# Break the ACI into 3 pieces: target, name, permissions/bind_rules
Handle subyptes in ACIs While enabling console output in the server installation the "Allow trust agents to retrieve keytab keys for cross realm principals" ACI was throwing an unparseable error because it has a subkey which broke parsing (the extra semi-colon): userattr="ipaAllowedToPerform;read_keys#GROUPDN"; The regular expression pattern needed to be updated to handle this case. Related: https://pagure.io/freeipa/issue/6760 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-02 15:14:56 -05:00
ACIPat = re.compile(r'\(version\s+3.0\s*;\s*ac[li]\s+\"([^\"]*)\"\s*;'
r'\s*(.*);\s*\)', re.UNICODE)
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
# Break the permissions/bind_rules out
ACI plugin: correctly parse bind rules enclosed in parentheses Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid statement, the ipalib ACI parser was updated to handle this case. https://fedorahosted.org/freeipa/ticket/5037 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-23 08:45:35 -05:00
PermPat = re.compile(r'(\w+)\s*\(([^()]*)\)\s*(.*)', re.UNICODE)
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
# Break the bind rule out
ACI plugin: correctly parse bind rules enclosed in parentheses Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid statement, the ipalib ACI parser was updated to handle this case. https://fedorahosted.org/freeipa/ticket/5037 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-23 08:45:35 -05:00
BindPat = re.compile(r'\(?([a-zA-Z0-9;\.]+)\s*(\!?=)\s*\"(.*)\"\)?',
re.UNICODE)
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
ACTIONS = ["allow", "deny"]
PERMISSIONS = ["read", "write", "add", "delete", "search", "compare",
"selfwrite", "proxy", "all"]
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
pylint: fix old-style-class Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-06-03 05:45:01 -05:00
Py3: Remove subclassing from object Python 2 had old style and new style classes. Python 3 has only new style classes. There is no point to subclass from object any more. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-26 04:59:50 -05:00
class ACI:
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
"""
Holds the basic data for an ACI entry, as stored in the cn=accounts
entry in LDAP. Has methods to parse an ACI string and export to an
ACI String.
"""
pylint: disable __hash__ for some classes pylint requires all classes implementing __eq__ to also implement __hash__. We disable hashing for the classes that miss the ability, should they ever be required to use it, it can be implemented then. https://pagure.io/freeipa/issue/6874 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-08-22 07:12:40 -05:00
__hash__ = None
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
def __init__(self,acistr=None):
self.name = None
Fix uninitialized attributes.
2011-04-21 03:13:06 -05:00
self.source_group = None
self.dest_group = None
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
self.orig_acistr = acistr
self.target = {}
self.action = "allow"
self.permissions = ["write"]
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
self.bindrule = {}
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
if acistr is not None:
self._parse_acistr(acistr)
def __getitem__(self,key):
"""Fake getting attributes by key for sorting"""
if key == 0:
return self.name
if key == 1:
return self.source_group
if key == 2:
return self.dest_group
raise TypeError("Unknown key value %s" % key)
def __repr__(self):
"""An alias for export_to_string()"""
return self.export_to_string()
def export_to_string(self):
"""Output a Directory Server-compatible ACI string"""
self.validate()
aci = ""
ipalib.aci: Port to Python 3 - Don't encode under Python 3, where shlex would choke on bytes - Sort the attrs dictionary in export_to_string, so the tests are deterministic. (The iteration order of dicts was always unspecified, but was always the same in practice under CPython 2.) Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-09-21 03:34:15 -05:00
for t, v in sorted(self.target.items()):
op = v['operator']
if type(v['expression']) in (tuple, list):
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
target = ""
De-duplicate ACI attributes and permissions Ensure uniqueuess in attributes and permissions in the ACI class. A set() is not used because it doesn't guarantee order which ends up causing cascading and unpredictable test failures. Since all we really need is de-duplication and not a true mathematical set iterating through the list is sufficiently fast, particularly since the number of elements will always be low. https://pagure.io/freeipa/issue/8443 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-11 11:03:01 -05:00
for l in self._unique_list(v['expression']):
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
target = target + l + " || "
target = target[:-4]
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
aci = aci + "(%s %s \"%s\")" % (t, op, target)
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
else:
ipalib.aci: Port to Python 3 - Don't encode under Python 3, where shlex would choke on bytes - Sort the attrs dictionary in export_to_string, so the tests are deterministic. (The iteration order of dicts was always unspecified, but was always the same in practice under CPython 2.) Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-09-21 03:34:15 -05:00
aci = aci + "(%s %s \"%s\")" % (t, op, v['expression'])
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
aci = aci + "(version 3.0;acl \"%s\";%s (%s) %s %s \"%s\"" % (self.name, self.action, ",".join(self.permissions), self.bindrule['keyword'], self.bindrule['operator'], self.bindrule['expression']) + ";)"
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
return aci
De-duplicate ACI attributes and permissions Ensure uniqueuess in attributes and permissions in the ACI class. A set() is not used because it doesn't guarantee order which ends up causing cascading and unpredictable test failures. Since all we really need is de-duplication and not a true mathematical set iterating through the list is sufficiently fast, particularly since the number of elements will always be low. https://pagure.io/freeipa/issue/8443 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-11 11:03:01 -05:00
def _unique_list(self, l):
"""
A set() doesn't maintain order so make a list unique ourselves.
The number of entries in our lists are always going to be
relatively low and this code will be called infrequently
anyway so the overhead will be small.
"""
unique = []
for item in l:
if item not in unique:
unique.append(item)
return unique
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
def _remove_quotes(self, s):
# Remove leading and trailing quotes
if s.startswith('"'):
s = s[1:]
if s.endswith('"'):
s = s[:-1]
return s
def _parse_target(self, aci):
ipalib.aci: Port to Python 3 - Don't encode under Python 3, where shlex would choke on bytes - Sort the attrs dictionary in export_to_string, so the tests are deterministic. (The iteration order of dicts was always unspecified, but was always the same in practice under CPython 2.) Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-09-21 03:34:15 -05:00
if six.PY2:
aci = aci.encode('utf-8')
lexer = shlex.shlex(aci)
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
lexer.wordchars = lexer.wordchars + "."
var = False
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
op = "="
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
for token in lexer:
# We should have the form (a = b)(a = b)...
if token == "(":
Use next() function on iterators In Python 3, next() for iterators is a function rather than method. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 05:46:22 -05:00
var = next(lexer).strip()
operator = next(lexer)
Fix pylint 2.0 conditional-related violations In order to support pylint 2.0 the following violations must be fixed: - `chained-comparison` (R1716): Simplify chained comparison between the operands This message is emitted when pylint encounters boolean operation like "a < b and b < c", suggesting instead to refactor it to "a < b < c". - `consider-using-in` (R1714): Consider merging these comparisons with "in" to %r To check if a variable is equal to one of many values,combine the values into a tuple and check if the variable is contained "in" it instead of checking for equality against each of the values.This is faster and less verbose. Issue: https://pagure.io/freeipa/issue/7614 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-11 15:30:12 -05:00
if operator not in ("=", "!="):
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
# Peek at the next char before giving up
Use next() function on iterators In Python 3, next() for iterators is a function rather than method. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 05:46:22 -05:00
operator = operator + next(lexer)
Fix pylint 2.0 conditional-related violations In order to support pylint 2.0 the following violations must be fixed: - `chained-comparison` (R1716): Simplify chained comparison between the operands This message is emitted when pylint encounters boolean operation like "a < b and b < c", suggesting instead to refactor it to "a < b < c". - `consider-using-in` (R1714): Consider merging these comparisons with "in" to %r To check if a variable is equal to one of many values,combine the values into a tuple and check if the variable is contained "in" it instead of checking for equality against each of the values.This is faster and less verbose. Issue: https://pagure.io/freeipa/issue/7614 Signed-off-by: Armando Neto <abiagion@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-11 15:30:12 -05:00
if operator not in ("=", "!="):
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
raise SyntaxError("No operator in target, got '%s'" % operator)
op = operator
Use next() function on iterators In Python 3, next() for iterators is a function rather than method. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 05:46:22 -05:00
val = next(lexer).strip()
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
val = self._remove_quotes(val)
Use next() function on iterators In Python 3, next() for iterators is a function rather than method. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 05:46:22 -05:00
end = next(lexer)
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
if end != ")":
raise SyntaxError('No end parenthesis in target, got %s' % end)
if var == 'targetattr':
# Make a string of the form attr || attr || ... into a list
Sprinkle raw strings across the code base tox / pytest is complaining about lots and lots of invalid escape sequences in our code base. Sprinkle raw strings or backslash escapes across the code base to fix most occurences of: DeprecationWarning: invalid escape sequence There is still one warning that keeps repeating, though: source:264: DeprecationWarning: invalid escape sequence \d Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-24 03:49:45 -05:00
t = re.split(r'[^a-zA-Z0-9;\*]+', val)
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
self.target[var] = {}
self.target[var]['operator'] = op
self.target[var]['expression'] = t
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
else:
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
self.target[var] = {}
self.target[var]['operator'] = op
self.target[var]['expression'] = val
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
def _parse_acistr(self, acistr):
Fix two bugs: one in parsing the ACI and one in comparing two ACIs The parsing bug was looking for the string 'version' expecting to find the ACI version. This blew up with the attribute nsosversion. Use the string 'version 3.0' instead. The comparison bug appeared if neither ACI had a targetattr attribute. It was trying to create a set out of a None which is illegal. If an ACI doesn't have any targetattrs then return () instead.
2009-11-12 12:11:14 -06:00
vstart = acistr.find('version 3.0')
Fix aci plugin, enhance aci parsing capabilities, add user group support - The aci plugin didn't quite work with the new ldap2 backend. - We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) - Add support for user groups so one can do v1-style delegation (group A can write attributes x,y,z in group B). It is actually quite a lot more flexible than that but you get the idea) - Improve error messages in the aci library - Add a bit of documentation to the aci plugin
2009-09-28 09:13:06 -05:00
if vstart < 0:
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("malformed ACI, unable to find version %s" % acistr)
Fix aci plugin, enhance aci parsing capabilities, add user group support - The aci plugin didn't quite work with the new ldap2 backend. - We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) - Add support for user groups so one can do v1-style delegation (group A can write attributes x,y,z in group B). It is actually quite a lot more flexible than that but you get the idea) - Improve error messages in the aci library - Add a bit of documentation to the aci plugin
2009-09-28 09:13:06 -05:00
acimatch = ACIPat.match(acistr[vstart-1:])
if not acimatch or len(acimatch.groups()) < 2:
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("malformed ACI, match for version and bind rule failed %s" % acistr)
Fix aci plugin, enhance aci parsing capabilities, add user group support - The aci plugin didn't quite work with the new ldap2 backend. - We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) - Add support for user groups so one can do v1-style delegation (group A can write attributes x,y,z in group B). It is actually quite a lot more flexible than that but you get the idea) - Improve error messages in the aci library - Add a bit of documentation to the aci plugin
2009-09-28 09:13:06 -05:00
self._parse_target(acistr[:vstart-1])
self.name = acimatch.group(1)
bindperms = PermPat.match(acimatch.group(2))
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
if not bindperms or len(bindperms.groups()) < 3:
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("malformed ACI, permissions match failed %s" % acistr)
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
self.action = bindperms.group(1)
De-duplicate ACI attributes and permissions Ensure uniqueuess in attributes and permissions in the ACI class. A set() is not used because it doesn't guarantee order which ends up causing cascading and unpredictable test failures. Since all we really need is de-duplication and not a true mathematical set iterating through the list is sufficiently fast, particularly since the number of elements will always be low. https://pagure.io/freeipa/issue/8443 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-11 11:03:01 -05:00
self.permissions = self._unique_list(
bindperms.group(2).replace(' ','').split(',')
)
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
self.set_bindrule(bindperms.group(3))
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
def validate(self):
"""Do some basic verification that this will produce a
valid LDAP ACI.
returns True if valid
"""
pylint: fix unneeded-not Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-06-03 03:05:34 -05:00
if type(self.permissions) not in (tuple, list):
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("permissions must be a list")
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
for p in self.permissions:
pylint: fix unneeded-not Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-06-03 03:05:34 -05:00
if p.lower() not in PERMISSIONS:
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("invalid permission: '%s'" % p)
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
if not self.name:
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("name must be set")
Py3: Replace six.string_types with str In Python 3, six.string_types is just an alias for str. See: https://pagure.io/freeipa/issue/7715 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-26 05:24:33 -05:00
if not isinstance(self.name, str):
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("name must be a string")
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
if not isinstance(self.target, dict) or len(self.target) == 0:
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("target must be a non-empty dictionary")
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
if not isinstance(self.bindrule, dict):
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("bindrule must be a dictionary")
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
if not self.bindrule.get('operator') or not self.bindrule.get('keyword') or not self.bindrule.get('expression'):
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("bindrule is missing a component")
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
return True
De-duplicate ACI attributes and permissions Ensure uniqueuess in attributes and permissions in the ACI class. A set() is not used because it doesn't guarantee order which ends up causing cascading and unpredictable test failures. Since all we really need is de-duplication and not a true mathematical set iterating through the list is sufficiently fast, particularly since the number of elements will always be low. https://pagure.io/freeipa/issue/8443 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-11 11:03:01 -05:00
def set_permissions(self, permissions):
if type(permissions) not in (tuple, list):
permissions = [permissions]
self.permissions = self._unique_list(permissions)
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
def set_target_filter(self, filter, operator="="):
self.target['targetfilter'] = {}
if not filter.startswith("("):
filter = "(" + filter + ")"
self.target['targetfilter']['expression'] = filter
self.target['targetfilter']['operator'] = operator
def set_target_attr(self, attr, operator="="):
Setting an empty set of target attributes should raise an exception. It is possible to create an ACI with attributes and then try to set that to None via a mod command later. We need to catch this and raise an exception. If all attributes are set to None in an aci then the attr target is removed from the ACI. This could result in an illegal ACI if there are no other targets. Having no targets is a legal state, just not a legal final state. ticket 647
2010-12-21 21:39:55 -06:00
if not attr:
if 'targetattr' in self.target:
del self.target['targetattr']
return
pylint: fix unneeded-not Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-06-03 03:05:34 -05:00
if type(attr) not in (tuple, list):
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
attr = [attr]
self.target['targetattr'] = {}
De-duplicate ACI attributes and permissions Ensure uniqueuess in attributes and permissions in the ACI class. A set() is not used because it doesn't guarantee order which ends up causing cascading and unpredictable test failures. Since all we really need is de-duplication and not a true mathematical set iterating through the list is sufficiently fast, particularly since the number of elements will always be low. https://pagure.io/freeipa/issue/8443 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-09-11 11:03:01 -05:00
self.target['targetattr']['expression'] = self._unique_list(attr)
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
self.target['targetattr']['operator'] = operator
def set_target(self, target, operator="="):
assert target.startswith("ldap:///")
self.target['target'] = {}
self.target['target']['expression'] = target
self.target['target']['operator'] = operator
def set_bindrule(self, bindrule):
ACI plugin: correctly parse bind rules enclosed in parentheses Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid statement, the ipalib ACI parser was updated to handle this case. https://fedorahosted.org/freeipa/ticket/5037 Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-23 08:45:35 -05:00
if bindrule.startswith('(') != bindrule.endswith(')'):
raise SyntaxError("non-matching parentheses in bindrule")
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
match = BindPat.match(bindrule)
if not match or len(match.groups()) < 3:
Use new-style raise syntax The form`raise Error, value` is deprecated in favor of `raise Error(value)`, and will be removed in Python 3. Use the new syntax. Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-08-12 06:49:54 -05:00
raise SyntaxError("malformed bind rule")
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
self.set_bindrule_keyword(match.group(1))
self.set_bindrule_operator(match.group(2))
self.set_bindrule_expression(match.group(3).replace('"',''))
def set_bindrule_keyword(self, keyword):
self.bindrule['keyword'] = keyword
def set_bindrule_operator(self, operator):
self.bindrule['operator'] = operator
def set_bindrule_expression(self, expression):
self.bindrule['expression'] = expression
def isequal(self, b):
"""
Compare the current ACI to another one to see if they are
the same.
returns True if equal, False if not.
"""
Fix aci plugin, enhance aci parsing capabilities, add user group support - The aci plugin didn't quite work with the new ldap2 backend. - We already walk through the target part of the ACI syntax so skip that in the regex altogether. This now lets us handle all current ACIs in IPA (some used to be ignored/skipped) - Add support for user groups so one can do v1-style delegation (group A can write attributes x,y,z in group B). It is actually quite a lot more flexible than that but you get the idea) - Improve error messages in the aci library - Add a bit of documentation to the aci plugin
2009-09-28 09:13:06 -05:00
assert isinstance(b, ACI)
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
try:
Fix DS ACI parsing.
2009-06-01 12:04:01 -05:00
if self.name.lower() != b.name.lower():
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
return False
if set(self.permissions) != set(b.permissions):
return False
if self.bindrule.get('keyword') != b.bindrule.get('keyword'):
return False
if self.bindrule.get('operator') != b.bindrule.get('operator'):
return False
if self.bindrule.get('expression') != b.bindrule.get('expression'):
return False
if self.target.get('targetfilter',{}).get('expression') != b.target.get('targetfilter',{}).get('expression'):
return False
if self.target.get('targetfilter',{}).get('operator') != b.target.get('targetfilter',{}).get('operator'):
return False
Fix two bugs: one in parsing the ACI and one in comparing two ACIs The parsing bug was looking for the string 'version' expecting to find the ACI version. This blew up with the attribute nsosversion. Use the string 'version 3.0' instead. The comparison bug appeared if neither ACI had a targetattr attribute. It was trying to create a set out of a None which is illegal. If an ACI doesn't have any targetattrs then return () instead.
2009-11-12 12:11:14 -06:00
if set(self.target.get('targetattr', {}).get('expression', ())) != set(b.target.get('targetattr',{}).get('expression', ())):
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
return False
ipalib.aci: Fix bugs in comparison - regression in be6edef6e48224e74344f48d25876b09cd263674: The __ne__ special method was named incorrectly - regression in 1ea6def129aa459ecc3d176a3b6aebdf75de2eb7: The targetattr operator was never compared Include some new comparison tests. Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-02 10:31:48 -05:00
if self.target.get('targetattr',{}).get('operator') != b.target.get('targetattr',{}).get('operator'):
return False
Update the ACI class to be more robust and the beginnings of an ACI plugin The ACI plugin is really meant for developers to help manage the ACIs. It may or may not be shipped. If it is it will be disabled by default. It is very much a shoot-in-foot problem waiting to happen.
2009-03-16 16:38:48 -05:00
if self.target.get('target',{}).get('expression') != b.target.get('target',{}).get('expression'):
return False
if self.target.get('target',{}).get('operator') != b.target.get('target',{}).get('operator'):
return False
except Exception:
# If anything throws up then they are not equal
return False
# We got this far so lets declare them the same
Stub out delegations Add ACI class
2008-10-10 23:49:05 -05:00
return True
ipalib.aci: Add support for == and != operators to ACI This allows more natural comparisons. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-04-30 10:24:06 -05:00
__eq__ = isequal
ipalib.aci: Fix bugs in comparison - regression in be6edef6e48224e74344f48d25876b09cd263674: The __ne__ special method was named incorrectly - regression in 1ea6def129aa459ecc3d176a3b6aebdf75de2eb7: The targetattr operator was never compared Include some new comparison tests. Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-02 10:31:48 -05:00
def __ne__(self, b):
ipalib.aci: Add support for == and != operators to ACI This allows more natural comparisons. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-04-30 10:24:06 -05:00
return not self == b
Reference in New Issue Copy Permalink