mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
permission plugin: Generate ACIs in the plugin
Construct the ACI string from permission entry directly in the permission plugin. This is the next step in moving away from ipalib.aci. Reviewed-By: Martin Kosek <mkosek@redhat.com>
This commit is contained in:
parent
15995d1f38
commit
2f3ab2914a
@ -340,31 +340,44 @@ class permission(baseldap.LDAPObject):
|
|||||||
def make_aci(self, entry):
|
def make_aci(self, entry):
|
||||||
"""Make an ACI string from the given permission entry"""
|
"""Make an ACI string from the given permission entry"""
|
||||||
|
|
||||||
aci = ACI()
|
aci_parts = []
|
||||||
name = entry.single_value['cn']
|
name = entry.single_value['cn']
|
||||||
aci.name = 'permission:%s' % name
|
|
||||||
|
# targetattr
|
||||||
|
attrs = entry.get('ipapermallowedattr', [])
|
||||||
|
if attrs:
|
||||||
|
aci_parts.append("(targetattr = \"%s\")" % ' || '.join(attrs))
|
||||||
|
|
||||||
|
# target
|
||||||
ipapermtarget = entry.single_value.get('ipapermtarget')
|
ipapermtarget = entry.single_value.get('ipapermtarget')
|
||||||
if ipapermtarget:
|
if ipapermtarget:
|
||||||
aci.set_target('ldap:///%s' % ipapermtarget)
|
aci_parts.append("(target = \"%s\")" %
|
||||||
|
'ldap:///%s' % ipapermtarget)
|
||||||
|
|
||||||
|
# targetfilter
|
||||||
ipapermtargetfilter = entry.single_value.get('ipapermtargetfilter')
|
ipapermtargetfilter = entry.single_value.get('ipapermtargetfilter')
|
||||||
if ipapermtargetfilter:
|
if ipapermtargetfilter:
|
||||||
aci.set_target_filter(ipapermtargetfilter)
|
assert (ipapermtargetfilter.startswith('(')
|
||||||
|
and ipapermtargetfilter.endswith(')'))
|
||||||
|
aci_parts.append("(targetfilter = \"%s\")" % ipapermtargetfilter)
|
||||||
|
|
||||||
|
# version, name, rights, bind rule
|
||||||
ipapermbindruletype = entry.single_value.get('ipapermbindruletype',
|
ipapermbindruletype = entry.single_value.get('ipapermbindruletype',
|
||||||
'permission')
|
'permission')
|
||||||
if ipapermbindruletype == 'permission':
|
if ipapermbindruletype == 'permission':
|
||||||
dn = DN(('cn', name), self.container_dn, self.api.env.basedn)
|
dn = DN(('cn', name), self.container_dn, self.api.env.basedn)
|
||||||
aci.set_bindrule('groupdn = "ldap:///%s"' % dn)
|
bindrule = 'groupdn = "ldap:///%s"' % dn
|
||||||
elif ipapermbindruletype == 'all':
|
elif ipapermbindruletype == 'all':
|
||||||
aci.set_bindrule('userdn = "ldap:///all"')
|
bindrule = 'userdn = "ldap:///all"'
|
||||||
elif ipapermbindruletype == 'anonymous':
|
elif ipapermbindruletype == 'anonymous':
|
||||||
aci.set_bindrule('userdn = "ldap:///anyone"')
|
bindrule = 'userdn = "ldap:///anyone"'
|
||||||
else:
|
else:
|
||||||
raise ValueError(ipapermbindruletype)
|
raise ValueError(ipapermbindruletype)
|
||||||
aci.permissions = entry['ipapermright']
|
|
||||||
aci.set_target_attr(entry.get('ipapermallowedattr', []))
|
|
||||||
|
|
||||||
return aci.export_to_string()
|
aci_parts.append('(version 3.0;acl "permission:%s";allow (%s) %s;)' % (
|
||||||
|
name, ','.join(entry['ipapermright']), bindrule))
|
||||||
|
|
||||||
|
return ''.join(aci_parts)
|
||||||
|
|
||||||
def add_aci(self, permission_entry):
|
def add_aci(self, permission_entry):
|
||||||
"""Add the ACI coresponding to the given permission entry"""
|
"""Add the ACI coresponding to the given permission entry"""
|
||||||
|
Loading…
Reference in New Issue
Block a user