2013-09-19 10:41:04 -05:00
|
|
|
# Authors:
|
|
|
|
# Petr Viktorin <pviktori@redhat.com>
|
|
|
|
#
|
|
|
|
# Copyright (C) 2014 Red Hat
|
|
|
|
# see file 'COPYING' for use and warranty information
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
|
|
# (at your option) any later version.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
2014-03-27 06:17:37 -05:00
|
|
|
"""
|
|
|
|
Plugin for updating managed permissions.
|
|
|
|
|
|
|
|
The permissions are declared in Object plugins in the "managed_permissions"
|
|
|
|
attribute, which is a dictionary mapping permission names to a "template"
|
|
|
|
for the updater.
|
|
|
|
For example, an entry could look like this:
|
|
|
|
|
|
|
|
managed_permissions = {
|
|
|
|
'System: Read Object A': {
|
|
|
|
'ipapermbindruletype': 'all',
|
|
|
|
'ipapermright': {'read', 'search', 'compare'},
|
|
|
|
'ipapermdefaultattr': {'cn', 'description'},
|
|
|
|
'replaces_global_anonymous_aci': True,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
The permission name must start with the "System:" prefix.
|
|
|
|
|
|
|
|
The template dictionary can have the following keys:
|
2014-03-27 09:36:54 -05:00
|
|
|
* ipapermtarget, ipapermtargetfilter, ipapermlocation, ipapermright, objectclass
|
2014-03-27 06:17:37 -05:00
|
|
|
- Directly used as attributes on the permission.
|
|
|
|
- Replaced when upgrading an existing permission
|
2014-03-27 09:36:54 -05:00
|
|
|
- If not specified, these default to the defaults of a permission of the
|
|
|
|
corresponding --type, or (if non_object is specified) to general permission
|
|
|
|
defaults.
|
|
|
|
- ipapermlocation and ipapermtarget must be DNs
|
|
|
|
- ipapermtargetfilter and objectclass must be iterables of strings
|
|
|
|
* ipapermbindruletype
|
|
|
|
- Directly used as attribute on the permission.
|
|
|
|
- Not replaced when upgrading an existing permission.
|
2014-03-27 06:17:37 -05:00
|
|
|
* ipapermdefaultattr
|
|
|
|
- Used as attribute of the permission.
|
|
|
|
- When upgrading, only new values are added; all old values are kept.
|
2014-04-10 05:24:41 -05:00
|
|
|
* default_privileges
|
|
|
|
- Names of privileges to add the permission to
|
|
|
|
- Only applied on newly created permissions
|
2014-03-27 06:17:37 -05:00
|
|
|
* replaces_global_anonymous_aci
|
|
|
|
- If true, any attributes specified (denied) in the legacy global anonymous
|
|
|
|
read ACI will be added to excluded_attributes of the new permission.
|
|
|
|
- Has no effect when existing permissions are updated.
|
2014-03-27 09:36:54 -05:00
|
|
|
* non_object
|
|
|
|
- If true, no object-specific defaults are used (e.g. for
|
|
|
|
ipapermtargetfilter, ipapermlocation).
|
2014-03-27 06:17:37 -05:00
|
|
|
|
|
|
|
No other keys are allowed in the template
|
|
|
|
"""
|
|
|
|
|
2013-09-19 10:41:04 -05:00
|
|
|
from ipalib import errors
|
|
|
|
from ipapython.dn import DN
|
|
|
|
from ipalib.plugable import Registry
|
|
|
|
from ipalib.plugins import aci
|
|
|
|
from ipalib.plugins.permission import permission
|
|
|
|
from ipaserver.plugins.ldap2 import ldap2
|
|
|
|
from ipaserver.install.plugins import LAST
|
|
|
|
from ipaserver.install.plugins.baseupdate import PostUpdate
|
|
|
|
|
|
|
|
|
|
|
|
register = Registry()
|
|
|
|
|
|
|
|
|
|
|
|
@register()
|
|
|
|
class update_managed_permissions(PostUpdate):
|
|
|
|
"""Update managed permissions after an update.
|
|
|
|
|
|
|
|
Update managed permissions according to templates specified in plugins.
|
|
|
|
For read permissions, puts any attributes specified in the legacy
|
|
|
|
Anonymous access ACI in the exclude list when creating the permission.
|
|
|
|
"""
|
|
|
|
order = LAST
|
|
|
|
|
|
|
|
def get_anonymous_read_blacklist(self, ldap):
|
|
|
|
"""Get the list of attributes from the legacy anonymous access ACI"""
|
|
|
|
aciname = u'Enable Anonymous access'
|
|
|
|
aciprefix = u'none'
|
|
|
|
|
|
|
|
base_entry = ldap.get_entry(self.api.env.basedn, ['aci'])
|
|
|
|
|
|
|
|
acistrs = base_entry.get('aci', [])
|
|
|
|
acilist = aci._convert_strings_to_acis(acistrs)
|
|
|
|
try:
|
|
|
|
rawaci = aci._find_aci_by_name(acilist, aciprefix, aciname)
|
|
|
|
except errors.NotFound:
|
|
|
|
self.log.info('Anonymous ACI not found, using no blacklist')
|
|
|
|
return []
|
|
|
|
|
|
|
|
return rawaci.target['targetattr']['expression']
|
|
|
|
|
|
|
|
def execute(self, **options):
|
|
|
|
ldap = self.api.Backend[ldap2]
|
|
|
|
|
|
|
|
anonymous_read_blacklist = self.get_anonymous_read_blacklist(ldap)
|
|
|
|
|
|
|
|
self.log.info('Anonymous read blacklist: %s', anonymous_read_blacklist)
|
|
|
|
|
|
|
|
for obj in self.api.Object():
|
|
|
|
managed_permissions = getattr(obj, 'managed_permissions', {})
|
|
|
|
if managed_permissions:
|
|
|
|
self.log.info('Updating managed permissions for %s', obj.name)
|
|
|
|
for name, template in managed_permissions.items():
|
|
|
|
self.update_permission(ldap,
|
|
|
|
obj,
|
|
|
|
unicode(name),
|
|
|
|
template,
|
|
|
|
anonymous_read_blacklist)
|
|
|
|
|
|
|
|
return False, False, ()
|
|
|
|
|
|
|
|
def update_permission(self, ldap, obj, name, template,
|
|
|
|
anonymous_read_blacklist):
|
|
|
|
"""Update the given permission and the corresponding ACI"""
|
2014-03-27 09:36:54 -05:00
|
|
|
assert name.startswith('System:')
|
|
|
|
|
2013-09-19 10:41:04 -05:00
|
|
|
dn = self.api.Object[permission].get_dn(name)
|
|
|
|
|
|
|
|
try:
|
2014-04-11 05:09:32 -05:00
|
|
|
attrs_list = list(self.api.Object[permission].default_attributes)
|
|
|
|
attrs_list.remove('memberindirect')
|
2013-09-19 10:41:04 -05:00
|
|
|
entry = ldap.get_entry(dn, attrs_list)
|
|
|
|
is_new = False
|
|
|
|
except errors.NotFound:
|
|
|
|
entry = ldap.make_entry(dn)
|
|
|
|
is_new = True
|
|
|
|
|
2014-03-27 09:36:54 -05:00
|
|
|
self.log.debug('Updating managed permission: %s', name)
|
2013-09-19 10:41:04 -05:00
|
|
|
self.update_entry(obj, entry, template,
|
|
|
|
anonymous_read_blacklist, is_new=is_new)
|
|
|
|
|
|
|
|
if is_new:
|
|
|
|
ldap.add_entry(entry)
|
|
|
|
else:
|
|
|
|
try:
|
|
|
|
ldap.update_entry(entry)
|
|
|
|
except errors.EmptyModlist:
|
|
|
|
self.log.debug('No changes to permission: %s', name)
|
|
|
|
return
|
|
|
|
|
|
|
|
self.log.debug('Updating ACI for managed permission: %s', name)
|
|
|
|
|
|
|
|
self.api.Object[permission].update_aci(entry)
|
|
|
|
|
|
|
|
def update_entry(self, obj, entry, template,
|
|
|
|
anonymous_read_blacklist, is_new):
|
|
|
|
"""Update the given permission Entry (without contacting LDAP)"""
|
|
|
|
|
|
|
|
[name_ava] = entry.dn[0]
|
|
|
|
assert name_ava.attr == 'cn'
|
|
|
|
name = name_ava.value
|
|
|
|
entry.single_value['cn'] = name
|
|
|
|
|
|
|
|
template = dict(template)
|
|
|
|
|
2014-03-27 09:36:54 -05:00
|
|
|
if template.pop('non_object', False):
|
|
|
|
obj = None
|
2013-09-19 10:41:04 -05:00
|
|
|
|
|
|
|
entry['ipapermissiontype'] = [u'SYSTEM', u'V2', u'MANAGED']
|
|
|
|
|
2014-03-27 09:36:54 -05:00
|
|
|
# Attributes with defaults
|
|
|
|
objectclass = template.pop('objectclass', None)
|
|
|
|
if objectclass is None:
|
|
|
|
objectclass = self.api.Object[permission].object_class
|
|
|
|
entry['objectclass'] = list(objectclass)
|
|
|
|
|
|
|
|
ldap_filter = template.pop('ipapermtargetfilter', None)
|
|
|
|
if obj and ldap_filter is None:
|
|
|
|
ldap_filter = ['(objectclass=%s)' % oc
|
|
|
|
for oc in obj.permission_filter_objectclasses]
|
|
|
|
entry['ipapermtargetfilter'] = list(ldap_filter or [])
|
|
|
|
|
|
|
|
ipapermlocation = template.pop('ipapermlocation', None)
|
|
|
|
if ipapermlocation is None:
|
|
|
|
assert obj
|
|
|
|
ipapermlocation = DN(obj.container_dn, self.api.env.basedn)
|
2013-09-19 10:41:04 -05:00
|
|
|
entry.single_value['ipapermlocation'] = ipapermlocation
|
|
|
|
|
2014-03-27 09:36:54 -05:00
|
|
|
# Optional attributes
|
|
|
|
ipapermtarget = template.pop('ipapermtarget', None)
|
|
|
|
if ipapermtarget is not None:
|
|
|
|
entry['ipapermtarget'] = ipapermtarget
|
|
|
|
|
2013-09-19 10:41:04 -05:00
|
|
|
# Attributes from template
|
|
|
|
bindruletype = template.pop('ipapermbindruletype')
|
2014-03-27 09:36:54 -05:00
|
|
|
if is_new:
|
|
|
|
entry.single_value['ipapermbindruletype'] = bindruletype
|
2013-09-19 10:41:04 -05:00
|
|
|
|
|
|
|
entry['ipapermright'] = list(template.pop('ipapermright'))
|
|
|
|
|
2014-04-10 05:24:41 -05:00
|
|
|
default_privileges = template.pop('default_privileges', None)
|
|
|
|
if is_new and default_privileges:
|
|
|
|
entry['member'] = list(
|
|
|
|
DN(('cn', privilege_name),
|
|
|
|
self.api.env.container_privilege,
|
|
|
|
self.api.env.basedn)
|
|
|
|
for privilege_name in default_privileges)
|
|
|
|
|
2013-09-19 10:41:04 -05:00
|
|
|
# Add to the set of default attributes
|
|
|
|
attributes = set(template.pop('ipapermdefaultattr', ()))
|
|
|
|
attributes.update(entry.get('ipapermdefaultattr', ()))
|
|
|
|
attributes = set(a.lower() for a in attributes)
|
|
|
|
entry['ipapermdefaultattr'] = list(attributes)
|
|
|
|
|
|
|
|
# Exclude attributes filtered from the global read ACI
|
|
|
|
if template.pop('replaces_global_anonymous_aci', False) and is_new:
|
|
|
|
read_blacklist = set(a.lower() for a in anonymous_read_blacklist)
|
|
|
|
read_blacklist &= attributes
|
|
|
|
if read_blacklist:
|
|
|
|
self.log.info('Excluded attributes for %s: %s',
|
|
|
|
name, ', '.join(read_blacklist))
|
|
|
|
entry['ipapermexcludedattr'] = list(read_blacklist)
|
|
|
|
|
|
|
|
# Sanity check
|
|
|
|
if template:
|
|
|
|
raise ValueError(
|
|
|
|
'Unknown key(s) in managed permission template %s: %s' % (
|
|
|
|
name, ', '.join(template.keys())))
|