Implement user lock and unlock

ipa_server/servercore.py

@@ -21,6 +21,7 @@ import ldap
 import string
 import re
 from ipa_server.context import context
+from ipa_server import ipaldap
 import ipautil
 from ipalib import errors
 
@@ -123,6 +124,37 @@ def get_list (base, searchfilter, sattrs=None):
 
     return map(convert_entry, entries)
 
+def has_nsaccountlock(dn):
+    """Check to see if an entry has the nsaccountlock attribute.
+       This attribute is provided by the Class of Service plugin so
+       doing a search isn't enough. It is provided by the two
+       entries cn=inactivated and cn=activated. So if the entry has
+       the attribute and isn't in either cn=activated or cn=inactivated
+       then the attribute must be in the entry itself.
+
+       Returns True or False
+    """
+    # First get the entry. If it doesn't have nsaccountlock at all we
+    # can exit early.
+    entry = get_entry_by_dn(dn, ['dn', 'nsaccountlock', 'memberof'])
+    if not entry.get('nsaccountlock'):
+        return False
+
+    # Now look to see if they are in activated or inactivated
+    # entry is a member
+    memberof = entry.get('memberof')
+    if isinstance(memberof, basestring):
+        memberof = [memberof]
+    for m in memberof:
+        inactivated = m.find("cn=inactivated")
+        activated = m.find("cn=activated")
+        # if they are in either group that means that the nsaccountlock
+        # value comes from there, otherwise it must be in this entry.
+        if inactivated >= 0 or activated >= 0:
+            return False
+
+    return True
+
 # General searches
 
 def get_entry_by_dn (dn, sattrs=None):
@@ -142,6 +174,14 @@ def get_entry_by_cn (cn, sattrs):
     searchfilter = "(cn=%s)" % cn 
     return get_sub_entry("cn=accounts," + basedn, searchfilter, sattrs)
 
+def get_user_by_uid(uid, sattrs):
+    """Get a specific user's entry."""
+    # FIXME: should accept a container to look in
+#    uid = self.__safe_filter(uid)
+    searchfilter = "(&(uid=%s)(objectclass=posixAccount))" % uid
+
+    return get_sub_entry("cn=accounts," + basedn, searchfilter, sattrs)
+
 # User support
 
 def user_exists(uid):
@@ -152,10 +192,9 @@ def user_exists(uid):
     searchfilter = "(&(uid=%s)(objectclass=posixAccount))" % uid
 
     try:
-        entry = get_sub_entry("cn=accounts," + basedn, searchfilter, ['dn','uid'])
-        return False
-#    except ipaerror.exception_for(ipaerror.LDAP_NOT_FOUND):
-    except Exception:
+        get_sub_entry("cn=accounts," + basedn, searchfilter, ['dn','uid'])
+        return True
+    except errors.NotFound:
         return True
 
 def get_user_by_uid (uid, sattrs):
@@ -348,3 +387,139 @@ def get_ipa_config():
         raise errors.NotFound
 
     return config
+
+def mark_entry_active (dn):
+    """Mark an entry as active in LDAP."""
+
+    # This can be tricky. The entry itself can be marked inactive
+    # by being in the inactivated group. It can also be inactivated by
+    # being the member of an inactive group.
+    #
+    # First we try to remove the entry from the inactivated group. Then
+    # if it is still inactive we have to add it to the activated group
+    # which will override the group membership.
+
+    res = ""
+    # First, check the entry status
+    entry = get_entry_by_dn(dn, ['dn', 'nsAccountlock'])
+
+    if entry.get('nsaccountlock', 'false').lower() == "false":
+#        logging.debug("IPA: already active")
+        raise errors.AlreadyActiveError
+
+    if has_nsaccountlock(dn):
+#        logging.debug("IPA: appears to have the nsaccountlock attribute")
+        raise errors.HasNSAccountLock
+
+    group = get_entry_by_cn("inactivated", None)
+    try:
+        remove_member_from_group(entry.get('dn'), group.get('dn'))
+    except errors.NotGroupMember:
+        # Perhaps the user is there as a result of group membership
+        pass
+
+    # Now they aren't a member of inactivated directly, what is the status
+    # now?
+    entry = get_entry_by_dn(dn, ['dn', 'nsAccountlock'])
+
+    if entry.get('nsaccountlock', 'false').lower() == "false":
+        # great, we're done
+#        logging.debug("IPA: removing from inactivated did it.")
+        return res
+
+    # So still inactive, add them to activated
+    group = get_entry_by_cn("activated", None)
+    res = add_member_to_group(dn, group.get('dn'))
+#    logging.debug("IPA: added to activated.")
+
+    return res
+
+def mark_entry_inactive (dn):
+    """Mark an entry as inactive in LDAP."""
+
+    entry = get_entry_by_dn(dn, ['dn', 'nsAccountlock', 'memberOf'])
+
+    if entry.get('nsaccountlock', 'false').lower() == "true":
+#        logging.debug("IPA: already marked as inactive")
+        raise errors.AlreadyInactiveError
+
+    if has_nsaccountlock(dn):
+#        logging.debug("IPA: appears to have the nsaccountlock attribute")
+        raise errors.HasNSAccountLock
+
+    # First see if they are in the activated group as this will override
+    # the our inactivation.
+    group = get_entry_by_cn("activated", None)
+    try:
+        remove_member_from_group(dn, group.get('dn'))
+    except errors.NotGroupMember:
+        # this is fine, they may not be explicitly in this group
+        pass
+
+    # Now add them to inactivated
+    group = get_entry_by_cn("inactivated", None)
+    res = add_member_to_group(dn, group.get('dn'))
+
+    return res
+
+def add_member_to_group(member_dn, group_dn):
+    """Add a member to an existing group."""
+#    logging.info("IPA: add_member_to_group '%s' to '%s'" % (member_dn, group_dn))
+    if member_dn.lower() == group_dn.lower():
+        # You can't add a group to itself
+        raise errors.SameGroupError
+
+    group = get_entry_by_dn(group_dn, None)
+    if group is None:
+        raise errors.NotFound
+
+    # check to make sure member_dn exists
+    member_entry = get_base_entry(member_dn, "(objectClass=*)", ['dn','objectclass'])
+    if not member_entry:
+        raise errors.NotFound
+
+    if group.get('member') is not None:
+        if isinstance(group.get('member'),basestring):
+            group['member'] = [group['member']]
+        group['member'].append(member_dn)
+    else:
+        group['member'] = member_dn
+
+    try:
+        return update_entry(group)
+    except errors.EmptyModlist:
+        raise
+
+def remove_member_from_group(member_dn, group_dn=None):
+    """Remove a member_dn from an existing group."""
+
+    group = get_entry_by_dn(group_dn, None)
+    if group is None:
+        raise errors.NotFound
+    """
+    if group.get('cn') == "admins":
+        member = get_entry_by_dn(member_dn, ['dn','uid'])
+        if member.get('uid') == "admin":
+            raise ipaerror.gen_exception(ipaerror.INPUT_ADMIN_REQUIRED_IN_ADMINS)
+    """
+#    logging.info("IPA: remove_member_from_group '%s' from '%s'" % (member_dn, group_dn))
+
+    if group.get('member') is not None:
+        if isinstance(group.get('member'),basestring):
+            group['member'] = [group['member']]
+        for i in range(len(group['member'])):
+            group['member'][i] = ipaldap.IPAdmin.normalizeDN(group['member'][i])
+        try:
+            group['member'].remove(member_dn)
+        except ValueError:
+            # member is not in the group
+            # FIXME: raise more specific error?
+            raise errors.NotGroupMember
+    else:
+        # Nothing to do if the group has no members
+        raise errors.NotGroupMember
+
+    try:
+        return update_entry(group)
+    except errors.EmptyModlist:
+        raise

ipalib/errors.py

@@ -286,57 +286,73 @@ class SameGroupError(InputError):
     """You can't add a group to itself"""
     faultCode = 1008
 
+class NotGroupMember(InputError):
+    """This entry is not a member of the group"""
+    faultCode = 1009
+
 class AdminsImmutable(InputError):
     """The admins group cannot be renamed"""
-    faultCode = 1009
+    faultCode = 1010
 
 class UsernameTooLong(InputError):
     """The requested username is too long"""
-    faultCode = 1010
+    faultCode = 1011
 
 class PrincipalError(GenericError):
     """There is a problem with the kerberos principal"""
-    faultCode = 1011
+    faultCode = 1012
 
 class MalformedServicePrincipal(PrincipalError):
     """The requested service principal is not of the form: service/fully-qualified host name"""
-    faultCode = 1012
+    faultCode = 1013
 
 class RealmMismatch(PrincipalError):
     """The realm for the principal does not match the realm for this IPA server"""
-    faultCode = 1013
+    faultCode = 1014
 
 class PrincipalRequired(PrincipalError):
     """You cannot remove IPA server service principals"""
-    faultCode = 1014
+    faultCode = 1015
 
 class InactivationError(GenericError):
     """This entry cannot be inactivated"""
-    faultCode = 1015
+    faultCode = 1016
+
+class AlreadyActiveError(InactivationError):
+    """This entry is already locked"""
+    faultCode = 1017
+
+class AlreadyInactiveError(InactivationError):
+    """This entry is already unlocked"""
+    faultCode = 1018
+
+class HasNSAccountLock(InactivationError):
+    """This entry appears to have the nsAccountLock attribute in it so the Class of Service activation/inactivation will not work. You will need to remove the attribute nsAccountLock for this to work."""
+    faultCode = 1019
 
 class ConnectionError(GenericError):
     """Connection to database failed"""
-    faultCode = 1016
+    faultCode = 1020
 
 class NoCCacheError(GenericError):
     """No Kerberos credentials cache is available. Connection cannot be made"""
-    faultCode = 1017
+    faultCode = 1021
 
 class GSSAPIError(GenericError):
     """GSSAPI Authorization error"""
-    faultCode = 1018
+    faultCode = 1022
 
 class ServerUnwilling(GenericError):
     """Account inactivated. Server is unwilling to perform"""
-    faultCode = 1018
+    faultCode = 1023
 
 class ConfigurationError(GenericError):
     """A configuration error occurred"""
-    faultCode = 1019
+    faultCode = 1024
 
 class DefaultGroup(ConfigurationError):
     """You cannot remove the default users group"""
-    faultCode = 1020
+    faultCode = 1025
 
 class FunctionDeprecated(GenericError):
     """Raised by a deprecated function"""

ipalib/plugins/f_user.py

@@ -26,6 +26,7 @@ from ipalib import crud
 from ipalib.frontend import Param
 from ipalib import api
 from ipalib import errors
+from ipalib import ipa_types
 from ipa_server import servercore
 from ipa_server import ipaldap
 import ldap
@@ -136,7 +137,7 @@ class user_add(crud.Add):
                 user['gidnumber'] = default_group.get('gidnumber')
         except errors.NotFound:
             # Fake an LDAP error so we can return something useful to the user
-            raise ipalib.NotFound, "The default group for new users, '%s', cannot be found." % config.get('ipadefaultprimarygroup')
+            raise errors.NotFound, "The default group for new users, '%s', cannot be found." % config.get('ipadefaultprimarygroup')
         except Exception, e:
             # catch everything else
             raise e
@@ -265,3 +266,34 @@ class user_show(crud.Get):
         except errors.NotFound:
             print "User %s not found" % args[0]
 api.register(user_show)
+
+class user_lock(frontend.Command):
+    'Lock a user account.'
+    takes_args = (
+        Param('uid', primary_key=True),
+    )
+    def execute(self, *args, **kw):
+        uid = args[0]
+        user = servercore.get_user_by_uid(uid, ['dn', 'uid'])
+        return servercore.mark_entry_inactive(user['dn'])
+    def forward(self, *args, **kw):
+        result = super(user_lock, self).forward(*args, **kw)
+        if result:
+            print "User locked"
+api.register(user_lock)
+
+class user_unlock(frontend.Command):
+    'Unlock a user account.'
+    takes_args = (
+        Param('uid', primary_key=True),
+    )
+    def execute(self, *args, **kw):
+        uid = args[0]
+        user = servercore.get_user_by_uid(uid, ['dn', 'uid'])
+        return servercore.mark_entry_active(user['dn'])
+    def forward(self, *args, **kw):
+        result = super(user_unlock, self).forward(*args, **kw)
+        if result:
+            print "User unlocked"
+api.register(user_unlock)
+