mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
User life cycle: user-del supports --permanently, --preserve options and ability to delete deleted user
change user plugin commands : user-del - --permanently: deletes permanently an Active user (DEL) - --preserve: move an Active user to Delete user (MODRDN) - allows to delete Active user and Delete user https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com>
This commit is contained in:
parent
699dd77102
commit
4ef32967f7
4
API.txt
4
API.txt
@ -4539,9 +4539,11 @@ output: Entry('result', <type 'dict'>, Gettext('A dictionary representing an LDA
|
||||
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
|
||||
output: PrimaryKey('value', None, None)
|
||||
command: user_del
|
||||
args: 1,2,3
|
||||
args: 1,4,3
|
||||
arg: Str('uid', attribute=True, cli_name='login', maxlength=255, multivalue=True, pattern='^[a-zA-Z0-9_.][a-zA-Z0-9_.-]{0,252}[a-zA-Z0-9_.$-]?$', primary_key=True, query=True, required=True)
|
||||
option: Flag('continue', autofill=True, cli_name='continue', default=False)
|
||||
option: Flag('permanently?', autofill=True, cli_name='permanently', default=False)
|
||||
option: Flag('preserve?', autofill=True, cli_name='preserve', default=False)
|
||||
option: Str('version?', exclude='webui')
|
||||
output: Output('result', <type 'dict'>, None)
|
||||
output: Output('summary', (<type 'unicode'>, <type 'NoneType'>), None)
|
||||
|
@ -335,6 +335,33 @@ class user(baseuser):
|
||||
),
|
||||
)
|
||||
|
||||
def get_dn(self, *keys, **options):
|
||||
'''
|
||||
Returns the DN of a user
|
||||
The user can be active (active container) or delete (delete container)
|
||||
If the user does not exist, returns the Active user DN
|
||||
'''
|
||||
ldap = self.backend
|
||||
# Check that this value is a Active user
|
||||
try:
|
||||
active_dn = super(user, self).get_dn(*keys, **options)
|
||||
ldap.get_entry(active_dn, ['dn'])
|
||||
|
||||
# The Active user exists
|
||||
dn = active_dn
|
||||
except errors.NotFound:
|
||||
# Check that this value is a Delete user
|
||||
delete_dn = DN(active_dn[0], self.delete_container_dn, api.env.basedn)
|
||||
try:
|
||||
ldap.get_entry(delete_dn, ['dn'])
|
||||
|
||||
# The Delete user exists
|
||||
dn = delete_dn
|
||||
except errors.NotFound:
|
||||
# The user is neither Active/Delete -> returns that Active DN
|
||||
dn = active_dn
|
||||
|
||||
return dn
|
||||
|
||||
def _normalize_manager(self, manager):
|
||||
"""
|
||||
@ -360,6 +387,7 @@ class user_add(baseuser_add):
|
||||
|
||||
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
||||
assert isinstance(dn, DN)
|
||||
self.log.error("====> user-add pre_callback 1 %s " % dn)
|
||||
if not options.get('noprivate', False):
|
||||
try:
|
||||
# The Managed Entries plugin will allow a user to be created
|
||||
@ -466,6 +494,7 @@ class user_add(baseuser_add):
|
||||
|
||||
answer = self.api.Object['radiusproxy'].get_dn_if_exists(rcl)
|
||||
entry_attrs['ipatokenradiusconfiglink'] = answer
|
||||
self.log.error("====> user-add pre_callback %s " % dn)
|
||||
|
||||
return dn
|
||||
|
||||
@ -522,24 +551,106 @@ class user_del(baseuser_del):
|
||||
|
||||
msg_summary = _('Deleted user "%(value)s"')
|
||||
|
||||
takes_options = baseuser_del.takes_options + (
|
||||
Flag('preserve?',
|
||||
doc=_('Delete a user, keeping the entry available for future use'),
|
||||
cli_name='preserve',
|
||||
default=False,
|
||||
),
|
||||
Flag('permanently?',
|
||||
doc=_('Delete a user'),
|
||||
cli_name='permanently',
|
||||
default=False,
|
||||
),
|
||||
)
|
||||
|
||||
def pre_callback(self, ldap, dn, *keys, **options):
|
||||
assert isinstance(dn, DN)
|
||||
check_protected_member(keys[-1])
|
||||
|
||||
# Delete all tokens owned and managed by this user.
|
||||
# Orphan all tokens owned but not managed by this user.
|
||||
owner = self.api.Object.user.get_primary_key_from_dn(dn)
|
||||
results = self.api.Command.otptoken_find(ipatokenowner=owner)['result']
|
||||
for token in results:
|
||||
orphan = not [x for x in token.get('managedby_user', []) if x == owner]
|
||||
token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn'])
|
||||
if orphan:
|
||||
self.api.Command.otptoken_mod(token, ipatokenowner=None)
|
||||
else:
|
||||
self.api.Command.otptoken_del(token)
|
||||
# For User life Cycle: user-del is a common plugin
|
||||
# command to delete active user (active container) and
|
||||
# delete user (delete container).
|
||||
# If the target entry is a Delete entry, skip the updates
|
||||
# protected member and otptoken owner
|
||||
if not dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)):
|
||||
check_protected_member(keys[-1])
|
||||
|
||||
# Delete all tokens owned and managed by this user.
|
||||
# Orphan all tokens owned but not managed by this user.
|
||||
owner = self.api.Object.user.get_primary_key_from_dn(dn)
|
||||
results = self.api.Command.otptoken_find(ipatokenowner=owner)['result']
|
||||
for token in results:
|
||||
orphan = not [x for x in token.get('managedby_user', []) if x == owner]
|
||||
token = self.api.Object.otptoken.get_primary_key_from_dn(token['dn'])
|
||||
if orphan:
|
||||
self.api.Command.otptoken_mod(token, ipatokenowner=None)
|
||||
else:
|
||||
self.api.Command.otptoken_del(token)
|
||||
|
||||
return dn
|
||||
|
||||
def execute(self, *keys, **options):
|
||||
|
||||
dn = self.obj.get_dn(*keys, **options)
|
||||
|
||||
if options['permanently'] or dn.endswith(DN(self.obj.delete_container_dn, api.env.basedn)):
|
||||
# We are going to permanent delete or the user is already in the delete container.
|
||||
# So we issue a true DEL on that entry
|
||||
return super(user_del, self).execute(*keys, **options)
|
||||
|
||||
# The user to delete is active and there is no 'permanently' option
|
||||
if options['preserve']:
|
||||
|
||||
ldap = self.obj.backend
|
||||
|
||||
# need to handle multiple keys (e.g. keys[-1]=(u'tb8', u'tb9')..
|
||||
active_dn = self.obj.get_dn(*keys, **options)
|
||||
superior_dn = DN(self.obj.delete_container_dn, api.env.basedn)
|
||||
delete_dn = DN(active_dn[0], self.obj.delete_container_dn, api.env.basedn)
|
||||
self.log.debug("preserve move %s -> %s" % (active_dn, delete_dn))
|
||||
|
||||
# Check that this value is a Active user
|
||||
try:
|
||||
original_entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(active_dn, ['dn'])
|
||||
except errors.NotFound:
|
||||
raise
|
||||
|
||||
# start to move the entry to Delete container
|
||||
self._exc_wrapper(keys, options, ldap.update_entry_rdn)(active_dn, new_rdn=active_dn[0], new_superior=superior_dn, del_old=True)
|
||||
|
||||
# Then clear the credential attributes
|
||||
attrs_to_clear = ['krbPrincipalKey', 'krbLastPwdChange', 'krbPasswordExpiration', 'userPassword']
|
||||
try:
|
||||
entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn, attrs_to_clear)
|
||||
except errors.NotFound:
|
||||
raise
|
||||
clearedCredential = False
|
||||
for attr in attrs_to_clear:
|
||||
if attr.lower() in entry_attrs:
|
||||
del entry_attrs[attr]
|
||||
clearedCredential = True
|
||||
if clearedCredential:
|
||||
self._exc_wrapper(keys, options, ldap.update_entry)(entry_attrs)
|
||||
|
||||
# Then restore some original entry attributes
|
||||
attrs_to_restore = [ 'secretary', 'managedby', 'manager', 'ipauniqueid', 'uidnumber', 'gidnumber', 'passwordHistory']
|
||||
try:
|
||||
entry_attrs = self._exc_wrapper(keys, options, ldap.get_entry)(delete_dn, attrs_to_restore)
|
||||
except errors.NotFound:
|
||||
raise
|
||||
restoreAttr = False
|
||||
for attr in attrs_to_restore:
|
||||
if (attr.lower() in original_entry_attrs) and not (attr.lower() in entry_attrs):
|
||||
restoreAttr = True
|
||||
entry_attrs[attr.lower()] = original_entry_attrs[attr.lower()]
|
||||
if restoreAttr:
|
||||
self._exc_wrapper(keys, options, ldap.update_entry)(entry_attrs)
|
||||
|
||||
val = dict(result=dict(failed=[]), value=[keys[-1][0]])
|
||||
return val
|
||||
else:
|
||||
return super(user_del, self).execute(*keys, **options)
|
||||
|
||||
|
||||
@register()
|
||||
class user_mod(baseuser_mod):
|
||||
|
Loading…
Reference in New Issue
Block a user