IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-25 16:31:08 -06:00
Code Issues Packages Projects Releases Wiki Activity
d84ffd9e54
freeipa/ipalib/constants.py

180 lines
6.4 KiB
Python
Raw Normal View History

Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
# Authors:
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# Martin Nagy <mnagy@redhat.com>
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
# Jason Gerard DeRose <jderose@redhat.com>
#
# Copyright (C) 2008 Red Hat
# see file 'COPYING' for use and warranty information
#
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
Change FreeIPA license to GPLv3+ The changes include: * Change license blobs in source files to mention GPLv3+ not GPLv2 only * Add GPLv3+ license text * Package COPYING not LICENSE as the license blobs (even the old ones) mention COPYING specifically, it is also more common, I think https://fedorahosted.org/freeipa/ticket/239
2010-12-09 06:59:11 -06:00
# along with this program. If not, see <http://www.gnu.org/licenses/>.
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
"""
Started roughing out the consolidated type/parameter system in parameters.py; started corresponding unit tests
2008-12-10 22:14:05 -06:00
All constants centralised in one file.
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
"""
Started roughing out the consolidated type/parameter system in parameters.py; started corresponding unit tests
2008-12-10 22:14:05 -06:00
# The parameter system treats all these values as None:
NULLS = (None, '', u'', tuple(), [])
Started moving some core classes and functions from plugable.py to new base.py module
2008-12-30 01:45:48 -06:00
# regular expression NameSpace member names must match:
Allow one-character Param names This is done explicitly to support the l/localityname attribute.
2010-02-12 10:01:23 -06:00
NAME_REGEX = r'^[a-z][_a-z0-9]*[a-z0-9]$|^[a-z]$'
Started moving some core classes and functions from plugable.py to new base.py module
2008-12-30 01:45:48 -06:00
# Format for ValueError raised when name does not match above regex:
NAME_ERROR = 'name must match %r; got %r'
Started work on per-request gettext setup
2008-12-18 15:01:59 -06:00
# Standard format for TypeError message:
Started moving some core classes and functions from plugable.py to new base.py module
2008-12-30 01:45:48 -06:00
TYPE_ERROR = '%s: need a %r; got %r (a %r)'
Finished kwarg validation and extension mechanism in parameter.Param
2008-12-11 19:07:54 -06:00
Started work on per-request gettext setup
2008-12-18 15:01:59 -06:00
# Stardard format for TypeError message when a callable is expected:
New Param: added unit tests for TypeError cases in DefaultFrom.__init__()
2008-12-18 03:08:41 -06:00
CALLABLE_ERROR = '%s: need a callable; got %r (which is a %r)'
Finished kwarg validation and extension mechanism in parameter.Param
2008-12-11 19:07:54 -06:00
Started work on per-request gettext setup
2008-12-18 15:01:59 -06:00
# Standard format for StandardError message when overriding an attribute:
Cleaned up Env.__setattr__() and Env.__setitem__() a bit updated their unit tests
2008-12-22 18:29:11 -06:00
OVERRIDE_ERROR = 'cannot override %s.%s value %r with %r'
# Standard format for AttributeError message when a read-only attribute is
# already locked:
Some more reorganization in Env and added class docstring to Env with lots of examples
2008-12-22 22:02:43 -06:00
SET_ERROR = 'locked: cannot set %s.%s to %r'
Started moving some core classes and functions from plugable.py to new base.py module
2008-12-30 01:45:48 -06:00
DEL_ERROR = 'locked: cannot delete %s.%s'
Finished kwarg validation and extension mechanism in parameter.Param
2008-12-11 19:07:54 -06:00
Changed calling signature of output_for_cli(); started work on 'textui' backend plugin
2008-11-12 01:46:04 -06:00
# Used for a tab (or indentation level) when formatting for CLI:
CLI_TAB = ' ' # Two spaces
Logging formats are now env variables; added log_format_stderr_debug format used when env.debug is True
2008-10-31 19:55:32 -05:00
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
# The section to read in the config files, i.e. [global]
Added ipalib/constants.py; added Env._load_config() method along with comprehensive unit tests for same
2008-10-24 16:07:07 -05:00
CONFIG_SECTION = 'global'
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
Added Object.params_minus() method; various small tweaks
2009-01-22 10:58:35 -06:00
# Log format for stderr:
FORMAT_STDERR = ': '.join([
'ipa',
Logging formats are now env variables; added log_format_stderr_debug format used when env.debug is True
2008-10-31 19:55:32 -05:00
'%(levelname)s',
'%(message)s',
])
Added Object.params_minus() method; various small tweaks
2009-01-22 10:58:35 -06:00
# Log format for log file:
FORMAT_FILE = '\t'.join([
'%(created)f',
'%(process)d',
'%(threadName)s',
More work on xmlrpc stuff, started migrated more code to use errors2 instead of errors
2009-01-22 19:48:21 -06:00
'%(levelname)s',
Implemented more elegant way for entire plugin module to be conditionally skipped; updated cert.py and ra.py modules to use this
2009-02-12 03:10:12 -06:00
'%(message)s',
Logging formats are now env variables; added log_format_stderr_debug format used when env.debug is True
2008-10-31 19:55:32 -05:00
])
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
# The default configuration for api.env
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# This is a tuple instead of a dict so that it is immutable.
# To create a dict with this config, just "d = dict(DEFAULT_CONFIG)".
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
DEFAULT_CONFIG = (
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# Domain, realm, basedn:
('domain', 'example.com'),
('realm', 'EXAMPLE.COM'),
('basedn', 'dc=example,dc=com'),
# LDAP containers:
('container_accounts', 'cn=accounts'),
('container_user', 'cn=users,cn=accounts'),
('container_group', 'cn=groups,cn=accounts'),
('container_service', 'cn=services,cn=accounts'),
('container_host', 'cn=computers,cn=accounts'),
Revive the hostgroup_container and include add/remove hosts in hostgroups plugin
2008-11-04 13:03:43 -06:00
('container_hostgroup', 'cn=hostgroups,cn=accounts'),
Re-implement access control using an updated model. The new model is based on permssions, privileges and roles. Most importantly it corrects the reverse membership that caused problems in the previous implementation. You add permission to privileges and privileges to roles, not the other way around (even though it works that way behind the scenes). A permission object is a combination of a simple group and an aci. The linkage between the aci and the permission is the description of the permission. This shows as the name/description of the aci. ldap:///self and groups granting groups (v1-style) are not supported by this model (it will be provided separately). This makes the aci plugin internal only. ticket 445
2010-12-01 10:23:52 -06:00
('container_rolegroup', 'cn=roles,cn=accounts'),
Move permissions and privileges to their own container, cn=pbac,$SUFFIX ticket 638
2010-12-22 10:11:29 -06:00
('container_permission', 'cn=permissions,cn=pbac'),
('container_privilege', 'cn=privileges,cn=pbac'),
Add autmount-specific location and default entries
2008-11-14 17:04:57 -06:00
('container_automount', 'cn=automount'),
Add policy-related container constants
2009-02-02 09:23:45 -06:00
('container_policies', 'cn=policies'),
('container_configs', 'cn=configs,cn=policies'),
('container_roles', 'cn=roles,cn=policies'),
('container_applications', 'cn=applications,cn=configs,cn=policies'),
('container_policygroups', 'cn=policygroups,cn=configs,cn=policies'),
('container_policylinks', 'cn=policylinks,cn=configs,cn=policies'),
Add new env variables: container_taskgroup, container_rolegroup and container_netgroup.
2009-05-13 07:16:03 -05:00
('container_netgroup', 'cn=ng,cn=alt'),
Add 'container_hbac' env variable.
2009-03-31 13:09:16 -05:00
('container_hbac', 'cn=hbac'),
Add groups of services to HBAC Replace serviceName with memberService so we can assign individual services or groups of services to an HBAC rule. 588574
2010-05-14 08:37:54 -05:00
('container_hbacservice', 'cn=hbacservices,cn=accounts'),
('container_hbacservicegroup', 'cn=hbacservicegroups,cn=accounts'),
Add new env variables. 'container_dns' for DNS plugin, 'use_ldap2' for new LDAP backend debugging.
2009-04-21 08:12:49 -05:00
('container_dns', 'cn=dns'),
Implement support for non-LDAP-based actions that use the LDAP ACI subsystem. There are some operations, like those for the certificate system, that don't need to write to the directory server. So instead we have an entry that we test against to determine whether the operation is allowed or not. This is done by attempting a write on the entry. If it would succeed then permission is granted. If not then denied. The write we attempt is actually invalid so the write itself will fail but the attempt will fail first if access is not permitted, so we can distinguish between the two without polluting the entry.
2009-07-10 15:40:39 -05:00
('container_virtual', 'cn=virtual operations'),
Add plugins for Sudo Commands, Command Groups and Rules
2010-09-27 15:51:28 -05:00
('container_sudorule', 'cn=sudorules'),
('container_sudocmd', 'cn=sudocmds,cn=accounts'),
('container_sudocmdgroup', 'cn=sudocmdgroups,cn=accounts'),
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# Ports, hosts, and URIs:
Giant webui patch take 2
2009-10-13 12:28:00 -05:00
# FIXME: let's renamed xmlrpc_uri to rpc_xml_uri
('xmlrpc_uri', 'http://localhost:8888/ipa/xml'),
('rpc_json_uri', 'http://localhost:8888/ipa/json'),
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
('ldap_uri', 'ldap://localhost:389'),
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
Giant webui patch take 2
2009-10-13 12:28:00 -05:00
# Web Application mount points
('mount_ipa', '/ipa/'),
('mount_xmlserver', 'xml'),
('mount_jsonserver', 'json'),
# WebUI stuff:
('webui_prod', True),
('webui_assets_dir', None),
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# Debugging:
Connect the -v cli argument to the verbose flag in xmlrpclib If you pass two -v to the ipa command you'll get the XML-RPC data in the output. This can be handy so you know exactly what went out over the wire.
2010-06-03 16:07:24 -05:00
('verbose', 0),
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
('debug', False),
Handle errors raised by plugins more gracefully in mod_wsgi. This started as an effort to display a more useful error message in the Apache error log if retrieving the schema failed. I broadened the scope a little to include limiting the output in the Apache error log so errors are easier to find. This adds a new configuration option, startup_traceback. Outside of lite-server.py it is False by default so does not display the traceback that lead to the StandardError being raised. This makes the mod_wsgi error much easier to follow.
2010-06-25 12:37:27 -05:00
('startup_traceback', False),
More CLI cleanup, got all basics working again
2008-10-28 00:30:55 -05:00
('mode', 'production'),
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
Added ca_host, ca_port, and ca_ssl_port Env variables that Andrew requested
2009-01-22 11:59:46 -06:00
# CA plugin:
('ca_host', object), # Set in Env._finalize_core()
('ca_port', 9180),
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
('ca_agent_port', 9443),
('ca_ee_port', 9444),
Added ca_host, ca_port, and ca_ssl_port Env variables that Andrew requested
2009-01-22 11:59:46 -06:00
Finished reworked cli.CLI class into cli.cli plugin
2009-01-28 14:05:26 -06:00
# Special CLI:
('prompt_all', False),
('interactive', True),
Add support for client failover to the ipa command-line. This adds a new global option to the ipa command, -f/--no-fallback. If this is included then just the server configured in /etc/ipa/default.conf is used. Otherwise that is tried first then all servers in DNS with the ldap SRV record are tried. Create a new Local() Command class for local-only commands. The help command is one of these. It shouldn't need a remote connection to execute. ticket #15
2010-07-26 16:54:38 -05:00
('fallback', True),
Finished reworked cli.CLI class into cli.cli plugin
2009-01-28 14:05:26 -06:00
Added env.enable_ra variable and change cert.py and ra.py plugin modules to register plugins conditionally
2009-02-11 14:07:19 -06:00
# Enable certain optional plugins:
('enable_ra', False),
Add external CA signing and abstract out the RA backend External CA signing is a 2-step process. You first have to run the IPA installer which will generate a CSR. You pass this CSR to your external CA and get back a cert. You then pass this cert and the CA cert and re-run the installer. The CSR is always written to /root/ipa.csr. A run would look like: # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U [ sign cert request ] # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com This also abstracts out the RA backend plugin so the self-signed CA we create can be used in a running server. This means that the cert plugin can request certs (and nothing else). This should let us do online replica creation. To handle the self-signed CA the simple ca_serialno file now contains additional data so we don't have overlapping serial numbers in replicas. This isn't used yet. Currently the cert plugin will not work on self-signed replicas. One very important change for self-signed CAs is that the CA is no longer held in the DS database. It is now in the Apache database. Lots of general fixes were also made in ipaserver.install.certs including: - better handling when multiple CA certificates are in a single file - A temporary directory for request certs is not always created when the class is instantiated (you have to call setup_cert_request())
2009-09-10 15:15:14 -05:00
('ra_plugin', 'selfsign'),
Added env.enable_ra variable and change cert.py and ra.py plugin modules to register plugins conditionally
2009-02-11 14:07:19 -06:00
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
# ********************************************************
# The remaining keys are never set from the values here!
# ********************************************************
#
Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed
2009-05-11 03:34:52 -05:00
# Env._bootstrap() or Env._finalize_core() will have filled in all the keys
# below by the time DEFAULT_CONFIG is merged in, so the values below are
# never actually used. They are listed both to provide a big picture and
# also so DEFAULT_CONFIG contains at least all the keys that should be
# present after Env._finalize_core() is called.
Added more needed config in DEFAULT_CONFIG
2008-10-24 21:59:11 -05:00
#
The Env.__setitem__() implied conversion is now case sensitive; Env.__setitem__() now also accepts None as a value
2008-12-22 17:16:57 -06:00
# Each environment variable below is sent to ``object``, which just happens
# to be an invalid value for an environment variable, so if for some reason
# any of these keys were set from the values here, an exception will be
# raised.
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed
2009-05-11 03:34:52 -05:00
# Non-overridable vars set in Env._bootstrap():
Added ca_host, ca_port, and ca_ssl_port Env variables that Andrew requested
2009-01-22 11:59:46 -06:00
('host', object),
Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed
2009-05-11 03:34:52 -05:00
('ipalib', object), # The directory containing ipalib/__init__.py
('site_packages', object), # The directory contaning ipalib
('script', object), # sys.argv[0]
('bin', object), # The directory containing the script
('home', object), # $HOME
# Vars set in Env._bootstrap():
('in_tree', object), # Whether or not running in-tree (bool)
('dot_ipa', object), # ~/.ipa directory
('context', object), # Name of context, default is 'default'
('confdir', object), # Directory containing config files
('conf', object), # File containing context specific config
('conf_default', object), # File containing context independent config
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
# Set in Env._finalize_core():
Force xmlrpc tests to run with in_tree=True so config files in /etc/ipa/ don't get read; cleaned up config.Env automagic with regard to running in-tree vs. installed
2009-05-11 03:34:52 -05:00
('in_server', object), # Whether or not running in-server (bool)
('logdir', object), # Directory containing log files
('log', object), # Path to context specific log file
Finished Env._finalize_core() and corresponding unit tests
2008-10-24 21:02:14 -05:00
)
Reference in New Issue Copy Permalink