mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-28 01:41:14 -06:00
8e4408e678
The rename operation on *_mod commands was only allowed when the primary key of an entry was also its RDN. With these changes, it should be possible to rename the rest of the entries as well. An attribute to the base LDAPObject was added to whitelist the objects we want to allow to be renamed. It replaced an old attribute rdn_is_primary_key which was used for the very same purpose but the name was confusing because it was not set correctly for certain objects. https://pagure.io/freeipa/issue/2466 https://pagure.io/freeipa/issue/6784 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
252 lines
7.2 KiB
Python
252 lines
7.2 KiB
Python
# Authors:
|
|
# Rob Crittenden <rcritten@redhat.com>
|
|
#
|
|
# Copyright (C) 2010 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
from .baseldap import (
|
|
LDAPObject,
|
|
LDAPCreate,
|
|
LDAPDelete,
|
|
LDAPUpdate,
|
|
LDAPSearch,
|
|
LDAPRetrieve,
|
|
LDAPAddMember,
|
|
LDAPRemoveMember,
|
|
LDAPAddReverseMember,
|
|
LDAPRemoveReverseMember)
|
|
from ipalib import api, _, ngettext, errors
|
|
from ipalib.plugable import Registry
|
|
from ipalib import Str
|
|
from ipalib import output
|
|
from ipapython.dn import DN
|
|
|
|
__doc__ = _("""
|
|
Privileges
|
|
|
|
A privilege combines permissions into a logical task. A permission provides
|
|
the rights to do a single task. There are some IPA operations that require
|
|
multiple permissions to succeed. A privilege is where permissions are
|
|
combined in order to perform a specific task.
|
|
|
|
For example, adding a user requires the following permissions:
|
|
* Creating a new user entry
|
|
* Resetting a user password
|
|
* Adding the new user to the default IPA users group
|
|
|
|
Combining these three low-level tasks into a higher level task in the
|
|
form of a privilege named "Add User" makes it easier to manage Roles.
|
|
|
|
A privilege may not contain other privileges.
|
|
|
|
See role and permission for additional information.
|
|
""")
|
|
|
|
register = Registry()
|
|
|
|
|
|
def validate_permission_to_privilege(api, permission):
|
|
ldap = api.Backend.ldap2
|
|
ldapfilter = ldap.combine_filters(rules='&', filters=[
|
|
'(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))',
|
|
ldap.make_filter_from_attr('cn', permission, rules='|')])
|
|
try:
|
|
entries, _truncated = ldap.find_entries(
|
|
filter=ldapfilter,
|
|
attrs_list=['cn', 'ipapermbindruletype'],
|
|
base_dn=DN(api.env.container_permission, api.env.basedn),
|
|
size_limit=1)
|
|
except errors.NotFound:
|
|
pass
|
|
else:
|
|
entry = entries[0]
|
|
message = _('cannot add permission "%(perm)s" with bindtype '
|
|
'"%(bindtype)s" to a privilege')
|
|
raise errors.ValidationError(
|
|
name='permission',
|
|
error=message % {
|
|
'perm': entry.single_value['cn'],
|
|
'bindtype': entry.single_value.get(
|
|
'ipapermbindruletype', 'permission')})
|
|
|
|
|
|
@register()
|
|
class privilege(LDAPObject):
|
|
"""
|
|
Privilege object.
|
|
"""
|
|
container_dn = api.env.container_privilege
|
|
object_name = _('privilege')
|
|
object_name_plural = _('privileges')
|
|
object_class = ['nestedgroup', 'groupofnames']
|
|
permission_filter_objectclasses = ['groupofnames']
|
|
default_attributes = ['cn', 'description', 'member', 'memberof']
|
|
attribute_members = {
|
|
'member': ['role'],
|
|
'memberof': ['permission'],
|
|
}
|
|
reverse_members = {
|
|
'member': ['permission'],
|
|
}
|
|
allow_rename = True
|
|
managed_permissions = {
|
|
'System: Read Privileges': {
|
|
'replaces_global_anonymous_aci': True,
|
|
'ipapermright': {'read', 'search', 'compare'},
|
|
'ipapermdefaultattr': {
|
|
'businesscategory', 'cn', 'description', 'member', 'memberof',
|
|
'o', 'objectclass', 'ou', 'owner', 'seealso', 'memberuser',
|
|
'memberhost',
|
|
},
|
|
'default_privileges': {'RBAC Readers'},
|
|
},
|
|
'System: Add Privileges': {
|
|
'ipapermright': {'add'},
|
|
'default_privileges': {'Delegation Administrator'},
|
|
},
|
|
'System: Modify Privileges': {
|
|
'ipapermright': {'write'},
|
|
'ipapermdefaultattr': {
|
|
'businesscategory', 'cn', 'description', 'o', 'ou', 'owner',
|
|
'seealso',
|
|
},
|
|
'default_privileges': {'Delegation Administrator'},
|
|
},
|
|
'System: Remove Privileges': {
|
|
'ipapermright': {'delete'},
|
|
'default_privileges': {'Delegation Administrator'},
|
|
},
|
|
}
|
|
|
|
label = _('Privileges')
|
|
label_singular = _('Privilege')
|
|
|
|
takes_params = (
|
|
Str('cn',
|
|
cli_name='name',
|
|
label=_('Privilege name'),
|
|
primary_key=True,
|
|
),
|
|
Str('description?',
|
|
cli_name='desc',
|
|
label=_('Description'),
|
|
doc=_('Privilege description'),
|
|
),
|
|
)
|
|
|
|
|
|
@register()
|
|
class privilege_add(LDAPCreate):
|
|
__doc__ = _('Add a new privilege.')
|
|
|
|
msg_summary = _('Added privilege "%(value)s"')
|
|
|
|
|
|
@register()
|
|
class privilege_del(LDAPDelete):
|
|
__doc__ = _('Delete a privilege.')
|
|
|
|
msg_summary = _('Deleted privilege "%(value)s"')
|
|
|
|
|
|
@register()
|
|
class privilege_mod(LDAPUpdate):
|
|
__doc__ = _('Modify a privilege.')
|
|
|
|
msg_summary = _('Modified privilege "%(value)s"')
|
|
|
|
|
|
@register()
|
|
class privilege_find(LDAPSearch):
|
|
__doc__ = _('Search for privileges.')
|
|
|
|
msg_summary = ngettext(
|
|
'%(count)d privilege matched', '%(count)d privileges matched', 0
|
|
)
|
|
|
|
|
|
@register()
|
|
class privilege_show(LDAPRetrieve):
|
|
__doc__ = _('Display information about a privilege.')
|
|
|
|
|
|
@register()
|
|
class privilege_add_member(LDAPAddMember):
|
|
__doc__ = _('Add members to a privilege.')
|
|
|
|
NO_CLI=True
|
|
|
|
|
|
@register()
|
|
class privilege_remove_member(LDAPRemoveMember):
|
|
"""
|
|
Remove members from a privilege
|
|
"""
|
|
NO_CLI=True
|
|
|
|
|
|
@register()
|
|
class privilege_add_permission(LDAPAddReverseMember):
|
|
__doc__ = _('Add permissions to a privilege.')
|
|
|
|
show_command = 'privilege_show'
|
|
member_command = 'permission_add_member'
|
|
reverse_attr = 'permission'
|
|
member_attr = 'privilege'
|
|
|
|
has_output = (
|
|
output.Entry('result'),
|
|
output.Output('failed',
|
|
type=dict,
|
|
doc=_('Members that could not be added'),
|
|
),
|
|
output.Output('completed',
|
|
type=int,
|
|
doc=_('Number of permissions added'),
|
|
),
|
|
)
|
|
|
|
def pre_callback(self, ldap, dn, *keys, **options):
|
|
if options.get('permission'):
|
|
# We can only add permissions with bind rule type set to
|
|
# "permission" (or old-style permissions)
|
|
validate_permission_to_privilege(self.api, options['permission'])
|
|
return dn
|
|
|
|
|
|
@register()
|
|
class privilege_remove_permission(LDAPRemoveReverseMember):
|
|
__doc__ = _('Remove permissions from a privilege.')
|
|
|
|
show_command = 'privilege_show'
|
|
member_command = 'permission_remove_member'
|
|
reverse_attr = 'permission'
|
|
member_attr = 'privilege'
|
|
|
|
permission_count_out = ('%i permission removed.', '%i permissions removed.')
|
|
|
|
has_output = (
|
|
output.Entry('result'),
|
|
output.Output('failed',
|
|
type=dict,
|
|
doc=_('Members that could not be added'),
|
|
),
|
|
output.Output('completed',
|
|
type=int,
|
|
doc=_('Number of permissions removed'),
|
|
),
|
|
)
|