freeipa/makeaci

#!/usr/bin/python2
# Authors:
#   Petr Viktorin <pviktori@redhat.com>
#   John Dennis <jdennis@redhat.com>
#   Martin Kosek <mkosek@redhat.com>
#
# Copyright (C) 2011  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

# Test the managed permission ACIs against a known-good ACI list
# to ensure that changes aren't made lightly.
# Can either regenerate ACI.txt, or validate against it.

import sys
import difflib
from argparse import ArgumentParser

from ipalib import api
from ipapython.dn import DN
from ipapython.ipaldap import LDAPEntry, IPASimpleLDAPObject, LDAPClient


class FakeLDAPClient(LDAPClient):
    """A LDAP client that can't do any LDAP operations

    Used to create and manipulate entries without an LDAP connection.
    """
    def _init_connection(self):
        self.conn = IPASimpleLDAPObject('', False, no_schema=True)


def parse_options():
    parser = ArgumentParser()
    parser.add_argument('--validate', dest='validate', action='store_true',
        default=False, help='Validate the API vs the stored API')
    parser.add_argument('filename', nargs='?', default='ACI.txt',
        help='File to create or validate, default: ACI.txt')

    options = parser.parse_args()
    return options


def generate_aci_lines(api):
    """Yields ACI lines as they appear in ACI.txt, with trailing newline"""
    update_plugin = api.Updater['update_managed_permissions']
    perm_plugin = api.Object['permission']
    fake_ldap = FakeLDAPClient('')
    for name, template, obj in update_plugin.get_templates():
        dn = perm_plugin.get_dn(name)
        entry = fake_ldap.make_entry(dn)
        update_plugin.update_entry(
            obj=obj,
            entry=entry,
            template=template,
            anonymous_read_aci=None,
            is_new=True,
        )
        aci = perm_plugin.make_aci(entry)
        yield 'dn: %s\n' % dn
        yield 'aci: %s\n' % aci


def main(options):
    api.bootstrap(
        context='cli',
        in_server=False,
        debug=False,
        verbose=0,
        validate_api=True,
        enable_ra=True,
        mode='developer',
        plugins_on_demand=False,
        basedn=DN('dc=ipa,dc=example'),
        realm='IPA.EXAMPLE',
    )
    from ipaserver.install.plugins.update_managed_permissions import (
        update_managed_permissions)
    from ipalib.plugins.permission import permission
    api.finalize()

    output_lines = list(generate_aci_lines(api))

    if options.validate:
        with open(options.filename) as file:
            file_lines = file.readlines()
        if file_lines != output_lines:
            diff = list(difflib.unified_diff(
                file_lines,
                output_lines,
                fromfile='existing %s' % options.filename,
                tofile='new result',
            ))
            for line in diff:
                print line,
            print>>sys.stderr
            print>>sys.stderr, 'Managed permission ACI validation failed.'
            print>>sys.stderr, 'Re-check permission changes and run `makeaci`.'
            exit('%s validation failed' % options.filename)
    else:
        with open(options.filename, 'w') as file:
            file.writelines(output_lines)


if __name__ == '__main__':
    options = parse_options()
    main(options)
Add ACI.txt The ACI.txt file is a list all managed permissions in ACI form. Similarly to API.txt, it ensures that changes are not made lightly, since modifications must be reflected in ACI.txt and committed to Git. Add a script, makeaci, which parallels makeapi: it recreates or validates ACI.txt. Call makeaci --validate before the build, just after API.txt is validated. Reviewed-By: Martin Kosek <mkosek@redhat.com> 2014-06-09 12:12:46 -05:00			`#!/usr/bin/python2`
			`# Authors:`
			`# Petr Viktorin <pviktori@redhat.com>`
			`# John Dennis <jdennis@redhat.com>`
			`# Martin Kosek <mkosek@redhat.com>`
			`#`
			`# Copyright (C) 2011 Red Hat`
			`# see file 'COPYING' for use and warranty information`
			`#`
			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`# Test the managed permission ACIs against a known-good ACI list`
			`# to ensure that changes aren't made lightly.`
			`# Can either regenerate ACI.txt, or validate against it.`

			`import sys`
			`import difflib`
			`from argparse import ArgumentParser`

			`from ipalib import api`
			`from ipapython.dn import DN`
			`from ipapython.ipaldap import LDAPEntry, IPASimpleLDAPObject, LDAPClient`


			`class FakeLDAPClient(LDAPClient):`
			`"""A LDAP client that can't do any LDAP operations`

			`Used to create and manipulate entries without an LDAP connection.`
			`"""`
			`def _init_connection(self):`
			`self.conn = IPASimpleLDAPObject('', False, no_schema=True)`


			`def parse_options():`
			`parser = ArgumentParser()`
			`parser.add_argument('--validate', dest='validate', action='store_true',`
			`default=False, help='Validate the API vs the stored API')`
			`parser.add_argument('filename', nargs='?', default='ACI.txt',`
			`help='File to create or validate, default: ACI.txt')`

			`options = parser.parse_args()`
			`return options`


			`def generate_aci_lines(api):`
			`"""Yields ACI lines as they appear in ACI.txt, with trailing newline"""`
			`update_plugin = api.Updater['update_managed_permissions']`
			`perm_plugin = api.Object['permission']`
			`fake_ldap = FakeLDAPClient('')`
			`for name, template, obj in update_plugin.get_templates():`
			`dn = perm_plugin.get_dn(name)`
			`entry = fake_ldap.make_entry(dn)`
			`update_plugin.update_entry(`
			`obj=obj,`
			`entry=entry,`
			`template=template,`
			`anonymous_read_aci=None,`
			`is_new=True,`
			`)`
			`aci = perm_plugin.make_aci(entry)`
			`yield 'dn: %s\n' % dn`
			`yield 'aci: %s\n' % aci`


			`def main(options):`
			`api.bootstrap(`
			`context='cli',`
			`in_server=False,`
			`debug=False,`
			`verbose=0,`
			`validate_api=True,`
			`enable_ra=True,`
			`mode='developer',`
			`plugins_on_demand=False,`
			`basedn=DN('dc=ipa,dc=example'),`
			`realm='IPA.EXAMPLE',`
			`)`
			`from ipaserver.install.plugins.update_managed_permissions import (`
			`update_managed_permissions)`
			`from ipalib.plugins.permission import permission`
			`api.finalize()`

			`output_lines = list(generate_aci_lines(api))`

			`if options.validate:`
			`with open(options.filename) as file:`
			`file_lines = file.readlines()`
			`if file_lines != output_lines:`
			`diff = list(difflib.unified_diff(`
			`file_lines,`
			`output_lines,`
			`fromfile='existing %s' % options.filename,`
			`tofile='new result',`
			`))`
			`for line in diff:`
			`print line,`
			`print>>sys.stderr`
			`print>>sys.stderr, 'Managed permission ACI validation failed.'`
			print>>sys.stderr, 'Re-check permission changes and run `makeaci`.'
			`exit('%s validation failed' % options.filename)`
			`else:`
			`with open(options.filename, 'w') as file:`
			`file.writelines(output_lines)`


			`if __name__ == '__main__':`
			`options = parse_options()`
			`main(options)`